2

I'm the system administrator of the site https://iris.quickfds.com. After setting a wildcard certificate *.quickfds.com for the site, I checked all main browsers.

This site is consider with no mixed content http/https onto all the workstation of my company for ie 10 or firefox 37.

With Chrome 42.0.2311.135 m (64-bit) or (32bit), the site is either with mixed/no mixed contents http/https depending of the station. I tried a full re-installation on the stations stating an unsecure site with no results.

On the stations that shows the site unsecure, we have the following information https://iris.quickfds.com/iris_chrome.png.

As google states at https://support.google.com/chrome/answer/95617?p=ui_security_indicator&rd=1, this means :

"Your connection to the site is encrypted, but Google Chrome has detected mixed content on the page. Be careful if you're entering information on this page. Mixed content can provide a loophole for someone to manipulate the page. This content could be third- party images or ads embedded on the page."

Nevertheless, this is not the case as the first page has no mixed content.

Can you help to diagnose why some stations are having this behavior and others not?

BR Christian

PS : Sorry for the first phrasing, I was in no mood to write the correct question at that time.

user23921
  • 61
  • 2
  • 6
  • 3
    Chrome isn't giving a warning... – Nathan C May 06 '15 at 12:19
  • 1
    Chrome is indeed not giving any warnings here. Make sure you do not for example have a chrome extension installed that somehow inserts something? (Try visiting it with perhaps extensions disabled?) – user254948 May 06 '15 at 12:27
  • I have still having the issue with my workstation will all extensions disabled. – user23921 May 11 '15 at 11:41
  • Chromium doesn't give me the yellow warning icon. But if I look at connection details I see both the `but does not have public audit records` and `encrypted with obsolete cryptography` messages. The audit records message seems harmless, even Google's own site produce that. The `obsolete cryptography` message is the critical part. It is a quite generic warning, which AFAIK covers both the certificate chain and the algorithm negotiated between client and server. – kasperd May 11 '15 at 12:50
  • I think in your case the reason for the `obsolete cryptography` message is not the certificate chain, but rather the negotiated algorithm. So you need to look at which algorithms are supported by your server. In my case Chromium connects using AES_256_CBC, SHA1, and DHE_RSA. I suspect it is SHA1 which cause the warning. – kasperd May 11 '15 at 12:55
  • @kasperd No, the obsolete cryptography is due to AES CBC in the cipher suite. It has nothing to do with the certificate chain. It also is not the cause of the OPs problem. – Steve365 May 11 '15 at 17:38
  • @Steve365 AES is not considered obsolete (as other combinations involving AES does not trigger the warning). I am aware of theoretical weaknesses in AES 256, but are those enough for AES 256 to be considered obsolete in favor of AES 128? CBC is secure as long as it is used correctly. (There are plenty of cases of weaknesses caused by incorrect use of CBC, but I am aware of no weakness related to CBC itself.) – kasperd May 12 '15 at 08:20
  • @kasperd It's not related to the key length. Chrome treats AES in CBC mode as obsolete regardless of key length. If at all possible use AES GCM which is completely secure. If (such as on most IIS platforms) this isn't possible then continue using AES CBC and accept that Chrome will show that warning, it's still 'secure enough'. – Steve365 May 12 '15 at 13:09
  • @Steve365 The information I found tells me that GCM and CTR perform the exact same encryption. The only difference between the two is that GCM adds authentication. But the problems I have seen with CBC all were due to incorrect use of CBC with an incorrectly generated IV. If you were to make the same mistakes with GCM and encrypt using GCM and an incorrectly generated IV, the security of GCM is much worse than CBC. – kasperd May 12 '15 at 14:56
  • @Steve365 If you compare **correct** use of GCM to **incorrect** use of CBC, that does not seem like a fair comparison at all. If you compare **incorrect** use of both algorithms, then CBC beats GCM. If you compare **correct** use of both algorithms, I am not aware of any difference in the provided confidentiality. – kasperd May 12 '15 at 14:59
  • @kasperd I'm not an expert on how these algorithms work, so can't comment with authority on why one is more secure than the other. What I can say with certainty due to direct experience is that Chrome is regarding AES CBC as obsolete. – Steve365 May 12 '15 at 17:42
  • @kasperd Your comments on the cryptographic methods are intersting but your are not addressing my question. The problem here is not with the obsolte cryptographic but with mixed content as stated in google help – user23921 Jun 02 '15 at 08:45
  • @user23921 What makes you think that article applies to the exact version of Chrome you are using? The warning message you got from Chrome didn't say anything about mixed content. – kasperd Jun 02 '15 at 10:14
  • @kasperd I was giving the chrome version number for information. Since then there has been an upgrade of the version and the problem sill exists on my worksation. it's now 43.0.2357.81 m (64-bit). The warning message I get is for sure indicating a mix content. Google say so in https://support.google.com/chrome/answer/95617?p=ui_security_indicator&rd=1 the icon with a warning indicates I quote "Your connection to the site is encrypted, but Google Chrome has detected mixed content on the page....." – user23921 Jun 05 '15 at 08:52
  • @user23921 Ignore that link it is outdated. Instead look at what the browser is telling you. – kasperd Jun 05 '15 at 12:04
  • @user23921 ok I get your point. But I do not understand why and therefore where I should look at. On my station, firefox 38.0.5 and ie11 see the site as safe but not chrome 43.0.2357.124 m (64-bit). And another station firefox 38.0.5 and ie11 AND chrome 43.0.2357.124 m (64-bit) see the site as safe. So I'm back to my question why some stations the site is secure and not on others – user23921 Jun 17 '15 at 12:15

1 Answers1

1

I finally found the reason of "unsecure comminication" which has nothing to do with mixed content.

1st, the yellow warning icon was not set for connection informatio, but for Site identity information. So the question was poorly stated

2nd, The CA store under some stations were using older CA chains that included certificate with SHA-1 signature encryption which is "obsolete" as stated by Google

https://support.google.com/chrome/answer/95617?p=ui_security_indicator&rd=1

"Google Chrome can see the site’s certificate, but the site uses a weak security setup (SHA-1 signatures), so your connection might not be private.

Proceed with caution. These are common mistakes in websites' configurations, but that doesn't guarantee that your connection is secure."

user23921
  • 61
  • 2
  • 6