Verifying CA Certificates in Chromium
You might have seen the headlines about the recent successful attack against digital certificates signed using the MD5 hashing algorithm. This weakness affects everything from email to banking and it is important to be conscientious about what sites and certificates you trust. Fortunately there are a few things you can do to protect yourself.
The First thing you want to do is to tell your web browser to check for server certificate revocation. This ensures that the issuing CA has not revoked the server certificate. If someones certificate is forged and that certificate is revoked you don't want your browser to continue to trust it. To enable this option you need to open up the Options Tab, view Under the Hood and scroll down to the Computer-wide SSL settings.
Another thing you might want to do is ensure your trusted website is not depending on the flawed algorithm. You can view the signature algorithm by first clicking on the secure connection icon in the omnibar.
This will display the security information for the website. Click Certificate Information to view details on the server certificate.
You want to examine the Signature algorithm in the details tab. As long as your trusted website is not using MD5 (md5RSA) you should be ok.
This means that your bank or email provider is not depending on the flawed algorithm. The only catch to this is that a phisher could forge this part of the certificate to provide misleading information. So only use this technique to verify that your currently trusted site is not depending on MD5.
If you find that a site you trust is using MD5 then my recommendation is not to use that online service, because even if the certificate hasn't been compromised the security of the site is inadequate and those responsible for the security of the site haven't taken the precautionary steps to ensure your online safety.
The First thing you want to do is to tell your web browser to check for server certificate revocation. This ensures that the issuing CA has not revoked the server certificate. If someones certificate is forged and that certificate is revoked you don't want your browser to continue to trust it. To enable this option you need to open up the Options Tab, view Under the Hood and scroll down to the Computer-wide SSL settings.
Another thing you might want to do is ensure your trusted website is not depending on the flawed algorithm. You can view the signature algorithm by first clicking on the secure connection icon in the omnibar.
This will display the security information for the website. Click Certificate Information to view details on the server certificate.
You want to examine the Signature algorithm in the details tab. As long as your trusted website is not using MD5 (md5RSA) you should be ok.
This means that your bank or email provider is not depending on the flawed algorithm. The only catch to this is that a phisher could forge this part of the certificate to provide misleading information. So only use this technique to verify that your currently trusted site is not depending on MD5.
If you find that a site you trust is using MD5 then my recommendation is not to use that online service, because even if the certificate hasn't been compromised the security of the site is inadequate and those responsible for the security of the site haven't taken the precautionary steps to ensure your online safety.
Comments
I can't figure out what the precise relationship of Chromium is to Google Chrome. Could you write a post sometime explaining the nature of this relationship? I thought the Chrome project was piloted by Google, but Chromium seems to be an independently compiled... is it getting forked? Do you work for Google? What's the deal?
i hope that answers your questions. Also, no, i do not work for google (they probably would have fired me for doing this). I am an independent open source developer and enthusiast. I realize that most people do not own a copy of visual studio and may not be able to compile the source code themselves so I do this as a public service.
first, Google does provide binaries for Chromium, here :
http://build.chromium.org/buildbot/snapshots/chromium-rel-xp/?O=D
second, Google does provide a very clear and detailed explanation about the relationship between Chrome and Chromium, which is much better than your biased version, here :
http://blog.chromium.org/2008/10/google-chrome-chromium-and-google.html
Google is not doing anything different from Mozilla, as Mozilla Firefox end-user binary is also closed-source proprietary browser, with proprietary logo and components, and a EULA that forbid reverse engineering.
certainly not.
> first, Google does provide binaries for Chromium...
Buildbot is a development tool that automates the compile / test cycle. basically it ensures newly committed changes to the code can compile. a snapshot of the BuildBot build is not something you should be using to browse the web. The binaries provided here are substantially different in that they are posted for the end user, having been screened and tested for usability first.
also, if you look at the chromium home page ( http://code.google.com/chromium/ ) you will not see a link to the buildbot waterfall, nor will you find a link to download chromium for the end user. Instead you will see a download link to Google's Chrome browser. Google does not provide a binary for Chromium for end user use.
> second, Google does provide a very clear and detailed explanation about the relationship between Chrome and Chromium, which is much better than your biased version, here :
http://blog.chromium.org/2008/10/google-chrome-chromium-and-google.html
i'm not sure how my explanation was biased and i don't remember saying they didn't provide an explanation. I'm not saying anything different than what google said in that Google releases Chrome as a closed source browser. They take the Chromium Source, make changes and release it. You do not know what changes they make to the source code because it is close-sourced. I'm sure you can monitor the traffic and maybe reverse it (i think this is what the SRWare Iron team does) but it's still a close-sourced browser and they still pass it off as open source to the media and everyone else.
when i first started releasing binaries on free-chrome.net, Google's Chrome was still being released under a very questionable EULA. This is the main reason that i began building and using Chromium. I do not want to be subjected to that kind of EULA and or the use of Google's "services" and i didn't think others should either.
Perhaps you've called me bias because I question Google's motive? I assure you that Google's motive is their bottom-line. They created Chrome and V8 because they want their web applications to run a certain way. I don't see anything wrong with that, they're a business. However, I think it is wrong to pass of Google Chrome as an open-source browser when it is not. You're probably correct in that they are not doing anything different than Mozilla / Firefox but I don't use firefox and so their behavior didn't lead me to compile an open version for my use and then share it.
anyways, none of this has any bearing on the build provided here. I publish a build of chromium that I screen, test and use because I can and others probably can't. I do this as a public service in my free time. To date there has been over twenty-thousand downloads of the build i provide. That tells me there are alot of people who can't or would rather not build it themselves but would rather use this binary (built from the source for the end-user) than its close-sourced cousin.
when I originally downloaded Chrome, the only critical feature that I found lacking was support for clicking-and-dragging the mouse-wheel button. that feature has been (clumsily) implemented in 1.0.156.0 (7468), but still isn't available in the latest releases of Chrome (1.0.154, i think). regardless, I'm now happily using Chromium most of the time instead of FF.
anyway, thanks for compiling this for the public and elucidating the quasi-open-source nature of the project. much appreciated.
-g