Security certificates broken on Google Chrome 41

Don’t install the latest release of Google Chrome (41), released on Thursday (Friday UK time). They’ve messed up. Twice.

Broken SSL when talking to routers etc.

The first problem comes when accessing the web interface on a device such as a router over SSL (encrypted). Unfortunately, because the software in theses is embedded, the security certificate it uses isn’t going to match the name of the device you use to access it. This would be impossible – when it leaves the factory it hasn’t had its IP address assigned on your site; never mind the DNS entry. Previously browsers have allowed you to ignore this mis-match; the encryption works as long as you’re comfortable that you’re really talking what you think you are using some other check, and once the exception has been stored, this should be the end of the matter.

But not with Chrome release 41. Now it will show you the screen below:


If you ask for more details it doesn’t really give you much:

A secure connection cannot be established because this site uses an unsupported protocol.
This comes from a DrayTek 2820 modem/router, but the problem seems to exist on other networking kit.

More adverts too – and a malware backdoor

(Please see update below – there may be an innocent explanation for this)
As an extra surprise, those nice people seem to have found a way of blocking URL keyword filters used to keep adverts out from objectionable sources, circumventing methods of blocking Google’s syndicated advertising. I’m still researching this, but the way they appear to have done it means that embedded content from other sources than the site you’re looking at is extremely difficult to block.
It appears Google has done this to protect its revenue stream from adverts, with little regard from the site policies that may exist for reasons Google may not realise. But that’s not the worst of it: how long will it be before this feature of Chrome is used for drive-by downloads. If you’re firewall isn’t able to cross-check the source of the content on a page, it can be coming from anywhere.
Unfortunately there is no way of rolling back a bad version of Chrome. They really don’t like you doing that, however dangerous a release might be.
I have, of course, made urgent representations to the Chrome project but we will have to wait and see. In the mean time, all I can suggest is that you prevent Chrome from updating beyond version 40.

Update 2015-03-23
On further investigation, the updated Chrome isn’t doing a DNS lookup to find the Google ad-server. I’m unsure whether this is because it somehow cached the DNS results internally or whether its hard-wired. It certainly wasn’t using the system cache, but I know Chrome has kept its own cache in the past. If it is from an internal cache, the mechanism used to get the IP address in there in the first place is a mystery, however Google’s ad servers change from time to time and it’s not impossible that the perimeter firewall simply hadn’t kept up and allowed some through.

My next research will be looking more closely at the DNS traffic.

BT Parental Controls Hack

In a move of spectacular incompetence, BT Broadband has hacked the HTTP data stream to customers in order to pop up a message concerning it’s “Parental Controls”. It’s done this without seeking any permission from the customer, and to add insult to injury, the code they’re injecting is buggy.

The injected popup  says “How to protect your family online with BT Parental Controls”, with an “Are you keeping your family safe?” online in order to worry the ignorant. It goes on “Safeguard all the computers, tablets and phones(sic) connected to your Home Hub”. The “Home Hub” is the weak and feeble excuse for a router they send you “free” when you sign up, and which anyone who knows anything about networking will have kept in the shrink wrap.

BT Parental Controls Popup
The popup you can’t kill. BT appears to be injecting this in to the HTTP stream of unsuspecting customers

As you can see from the pop-up above , there is a “No thanks” option, but it simply doesn’t work. Several commonly used websites such as Amazon have become unusable as a result – you just can’t get rid of the BT popup. Even clicking on “Yes please, Set it up” leads you nowhere except to a login to which the credentials are a mystery. Quite possibly because I’m not one of the lusers with a “Home Hub” (or business hub).

And this is on a standard Windoze 7 PC running the current version of the Chrome browser. And no software firewall to blame it on.

I called BT to complain and ask for it to be removed. They don’t even know what I’m talking about, which is odd because there was a spate of this stupidity earlier in the year. Fortunately they stopped before a full roll-out, but you can’t keep a good idiot now – the same idiot has resurrected the idea and rolled it out, possibly wholesale this time. Whoever it was should be publicly named and sacked.

Google’s Evil Browser policy

Gmail Fail

Google’s VP of Engineering (Venkat Panchapakesan) has published one of the most outrageous policy statements I’ve seen in a long time – not in a press release, but in a blog post.

He’s saying that Google will discontinue support for all browsers that aren’t “modern” from the end of July, with the excuse that is developers need HTML5 before they can improve their offerings to meet current requirements. “Modern” means less than three versions old, which currently refers to anything prior to IE8 (now that IE 10 is available on beta) and Firefox 3.5. This is interesting – Firefox 4 has just been released, I’m beta testing Firefox 5 with Firefox 7 talked about by the end of 2011. This will obsolete last month’s release of Firefox 4 in just six months. Or does he mean something different by version number? Anyone who knows anything about software engineering will tell you that major differences can occur with minor version number changes too so it’s impossible to interpret what he means in a technical sense.

I doubt Google would be stupid enough to “upgrade” it’s search page. This will affect Google Apps and Gmail.

The fact is that about 20% of the world is using either IE 6 or a similar vintage browser. Microsoft and Mozilla have a policy of encouraging people to “upgrade” and are supportive of Google. Microsoft has commercial reasons for doing this; Mozilla’s motives are less clear – perhaps they just like to feel their latest creations are being appreciated somewhere.

What these technological evangelists completely fail to realise is that not everyone in the world wishes to use the “latest” bloated version of their software. Who wants their computer slowed down to a crawl using a browser that consumes four times as much RAM as the previous version? Not everyone’s laptop has the 2Gb of RAM needed to run the “modern” versions at a reasonable speed.

It’s completely disingenuous to talk about users “upgrading” – it can easily make older computers unusable. The software upgrade may be “free” but the hardware needed to run it could cost dear.

It’ll come as no surprise to learn that the third world has the highest usage of older browser versions; they’re using older hardware. And they’re using older versions of Windows (without strict license enforcement). There’s money to be made by forcing the pace of change, but it is right to make anything older than two years old obsolete?

But does Google have a point about HTML5? Well the “web developers” who’s blog comments they’ve allowed through uncensored seem to think so. But web developers are often just lusers with pretensions, fresh out of a lightweight college and dazzled by the latest cool gimmick. Let’s assume Google is a bit more savvie than that. So what’s their game? Advertising. Never forget it. Newer web technologies are driven by a desire to push adverts – Flash animations and HTML5 – everything. Standard HTML is fine for publishing standard information.

I’ll take a lot of convincing that Google’s decision isn’t to do with generating more advertising revenue at the expense of the less well-off Internet users across the globe. Corporate evil? It looks like it from here.