Google’s Chrome is a useful tool to have around, but the security features have gotten out of hand and make it increasingly useless for real work without actually improving security.
After a brief rant about SSL, there’s a quick solution at the bottom of this post.
Chrome’s Idiotic SSL Handling Model
I don’t like Chrome nearly as much as Firefox, but it does do some things better (I have a persistent annoyance with pfSense certificates that cause slow loading of the pfSense management page in FF, for example). Lately I’ve found that the Google+ script seems to kill firefox, so I use Chrome for logged-in Google activities.
But Chrome’s handling of certificates is abhorrent. I’ve never seen anything so resolutely destructive to security and utility. It is the most ill-considered, poorly implemented, counter-productive failure in UI design and security policy I’ve ever encountered. It is hateful and obscene. A disaster. An abomination. The ill-conceived excrement of ignorant twits. I’d be happy to share my unrestrained feelings privately.
I’ve discussed the problem before, but the basic issues are that:
- The certificate authority is NOT INVALID, Chrome just doesn’t recognize it because it is self-signed. There is a difference, dimwits.
- This is a private network (10.x.x.x or 192.168.x.x) and if you pulled your head out for a second and thought about it, white-listing private networks is obvious. Why on earth would anyone pay the cert mafia for a private cert? Every web-interfaced appliance in existence automatically generates a self-signed cert, and Chrome flags every one of them as a security risk INCORRECTLY.
- A “valid” certificate merely means that one of the zillions of cert mafia organizations ripping people off by pretending to offer security has “verified” the “ownership” of a site before taking their money and issuing a certificate that placates browsers
- Or a compromised certificate is being used.
- Or a law enforcement certificate is being used.
- Or the site has been hacked by criminals or some country’s law enforcement.
A “valid” certificate doesn’t mean nothing at all, but close to it.
So one might think it is harmless security theater, like a TSA checkpoint: it does no real harm and may have some deterrent value. It is a necessary fiction to ensure people feel safe doing commerce on the internet. If a few percent of people are reassured by firm warnings and are thus seduced into consummating their shopping carts, improving ad traffic quality and thus ensuring Google’s ad revenue continues to flow, ensuring their servers continue sucking up our data, what’s the harm?
The harm is that it makes it hard to secure a website. SSL does two things: it pretends to verify that the website you connect to is the one you intended to connect to (but it does not do this) and it does actually serve to encrypt data between the browser and the server, making eavesdropping very difficult. The latter useful function does not require verifying who owns the server, which can only be done with a web of trust model like perspectives or with centralized, authoritarian certificate management.
How to fix Chrome:
The damage is done. Millions of websites that could be encrypted are not because idiots writing browsers have made it very difficult for users to override inane, inaccurate, misleading browser warnings. However, if you’re reading this, you can reduce the headache with a simple step (Thanks!):
Right click on the shortcut you use to launch Chrome and modify the launch command by adding the following “
Once you’ve done this, chrome will open with a warning:
YAY. Suffer my ass.
Java? What happened to Java?
Java sucks so bad. It is the second worst abomination loosed on the internet, yet lots of systems use it for useful features, or try to. There’s endless compatibility problems with JVM versions and there’s the absolutely idiotic horror of the recent security requirement that disables setting “medium” security completely no matter how hard you want to override it, which means you can’t ever update past JVM 7. Ever. Because 8 is utterly useless because they broke it completely thinking they’d protect you from man in the middle attacks on your own LAN.
However, even if you have frozen with the last moderately usable version of Java, you’ll find that since Chrome 42 (yeah, the 42nd major release of chrome. That numbering scheme is another frustratingly stupid move, but anyway, get off my lawn) Java just doesn’t run in chrome. WTF?
Turns out Google, happy enough to push their own crappy products like Google+, won’t support Oracle’s crappy product any more. As of 42 Java is disabled by default. Apparently, after 45 it won’t ever work again. I’d be happy to see Java die, but I have a lot of infrastructure that requires Java for KVM connections, camera management, and other equipment that foolishly embraced that horrible standard. Anyhow, you can fix it until 45 comes along…
To enable Java in Chrome for a little while longer, you can follow these instructions to enable NPAPI (which enables Java). Type “
chrome://flags/#enable-npapi” in the browser bar and click “
If you’re a UX designer on a mature project, you have to justify your pay somehow – design refreshes become a requirement. If tool companies had UX designers on staff, hammers would look like porcupines.
One of the most annoying features of FireFox V34 was the pop-down search menu. Nice concept, but if your mouse drifts, you end up searching on twitter or amazon or some other useless thing, or just calling up the idiotic “add search options” dialog. Srsly. The search bar is a nice thing, thank you, leave it be.
Fortunately, FF offers a way to undo most of the horrible changes visited on the UI and you can keep it functional and efficient by undoing the damage that treating a program like a fashion plate rather than a tool has wrought. Classic Theme Restorer is a good example.
Fixing the drop down search menu barf is easy: enter “about:config” in the URL bar and search for “browser.search.showOneOffButtons” Set the value to “False” and stop being delayed by random search destinations.
Off-Site scripts are annoying.
To explain – I use noscript (as everyone should) with Firefox (it doesn’t work with Chrome: I might consider trusting Google’s browser for some mainstream websites when it does, but I don’t really like that Chrome logs every keystroke back to Google and I’m not sure why anyone would tolerate that). NoScript enables me to give per-site permission to execute scripts.
The best sites don’t need any scripts to give me the information I need. It is OK if the whizzy experience is degraded somewhat for security’s sake, as long as that is my choice. Offsite scripting can add useful functionality, but the visitor should be able to opt out.
Most sites use offsite scripting for privacy invasion – generally they have made a deal with some heinous data aggregator who’s business model is to compile dossiers of every petty interest and quirk you might personally have and sell them to whoever can make money off them: advertisers, insurance companies, potential employers, national governments, anyone who can pay. In return for letting them scrounge your data off the site, they give the site operator some slick graphs (and who doesn’t love slick graphs). But you lose. Or you block google analytics with noscript. This was easy – block offsite scripts if you’re not using private browsing or switch to private browsing (and Chrome’s private browsing mode is probably fine) and enjoy the fully scripted experience.
But I’ve noticed recently a lot of sites are borrowing basic functionality from Google APIs. Simple things, for which there are plenty of open source scripts to use like uploading images – this basic functionality is being sold to them in an easy to integrate form in exchange for your personal information: in effect, you’re paying for their code with your privacy. And you either have to temporarily allow Google APIs to execute scripts in your browser and suck up your personal information or you can’t use the site.
- Sidebar featured images only on single post pages 2023 January 24
- LastPass: The Cloud is Public and Ephemeral 2023 January 05
- Some gnuplot and datamash adventures 2022 December 29
- Smol bash script for finding oversize media files 2022 September 02
- Deep Learning Image Compression: nearly 10,000:1 compression ratio! 2022 June 28
- Audio Compression for Speech 2022 June 28
- Audio Processing Workflow 2022 April 18
- Ancient history: DEF CON 9 Talk on Quantum Computers 2021 November 21
- South Lake Tahoe Caldor Fire Timelapse 2021 September 03
- Save your email! Avoid the Thunderbird 78 update 2021 June 19
- Post History