"https insecure" on google websites only (Chrome)

[newcster2]

Occasionally, at any random time of day, google websites will suddenly start showing the "https" in the url in red with a line through it.  If I click on it, it says "This page is insecure (broken HTTPS)", further down it says "SHA-1 Certificate - The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1".  If I try to view the details of the certificate, it seems to be pretty similar to that of other websites that are shown as secure (this website for example).  I tried to compare my certificate to one on chrome on a different PC on my same network, and it's almost exactly the same with the exception of the dates being formatted differently.  On my certificate the dates are formatted like "December 8" or "March 2", but on the other PC, the dates are like "December 08" or "March 02".  The problem seems to fix itself eventually, I have tried all sorts of troubleshooting in the past like, deleting cache and cookies, uninstalling Chrome extensions like adblockers and tracker-blockers that I normally have installed, or restarting chrome.  All of these steps seem to either do nothing or temporarily restore the "secure" label only to be changed back to the "insecure" labeling until it decides it doesn't want to for the rest of the day.

 

I would post a screenshot of the certificate details but I'm not exactly sure how much of that is sensitive information that I wouldn't want to post on a public forum.

 

Any ideas as to what might be causing this?  Things I can check to be sure I don't have some sort of malware?  I run malwarebytes pretty regularly, and I use Avira free antivirus for real-time detection.

[Rohime]

34 minutes ago, newcster2 said:

Occasionally, at any random time of day, google websites will suddenly start showing the "https" in the url in red with a line through it.  If I click on it, it says "This page is insecure (broken HTTPS)", further down it says "SHA-1 Certificate - The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1".  If I try to view the details of the certificate, it seems to be pretty similar to that of other websites that are shown as secure (this website for example).  I tried to compare my certificate to one on chrome on a different PC on my same network, and it's almost exactly the same with the exception of the dates being formatted differently.  On my certificate the dates are formatted like "December 8" or "March 2", but on the other PC, the dates are like "December 08" or "March 02".  The problem seems to fix itself eventually, I have tried all sorts of troubleshooting in the past like, deleting cache and cookies, uninstalling Chrome extensions like adblockers and tracker-blockers that I normally have installed, or restarting chrome.  All of these steps seem to either do nothing or temporarily restore the "secure" label only to be changed back to the "insecure" labeling until it decides it doesn't want to for the rest of the day.

 

I would post a screenshot of the certificate details but I'm not exactly sure how much of that is sensitive information that I wouldn't want to post on a public forum.

 

Any ideas as to what might be causing this?  Things I can check to be sure I don't have some sort of malware?  I run malwarebytes pretty regularly, and I use Avira free antivirus for real-time detection.

 

This message is a new feature in the most recent chrome update.

Basically, there is something wrong with the SSL cert chain.   Not much you can do about it... its an added feature to make you aware of which sites do SSL properly and which don't ... designed to improve quality of servers (at the server owners end).

[newcster2]

1 minute ago, Rohime said:

 

This message is a new feature in the most recent chrome update.

Basically, there is something wrong with the SSL cert chain.   Not much you can do about it... its an added feature to make you aware of which sites do SSL properly and which don't ... designed to improve quality of servers (at the server owners end).

But I've already seen that another PC on my network in my house is not facing this issue in the same version of Chrome, wouldn't that mean it's something wrong with my PC rather than a problem with a system somewhere between the Google server and my PC?  When I googled this I got basically the same idea that you did by the countless articles about this update, but nothing about my actual issue I'm having.  Also, would it make any sense that Google isn't keeping up-to-date on the security that their own browser is checking up on?

[Rohime]

Ummm.... maybe you could have somehow damaged the certificate key-chain on your PC, but thats pretty unlikely unless you've been deliberately screwing with it.    Might be worth completely uninstalling chrome and install again ... but probably wont make any difference.

 

can you provide some sample websites that are showing as broken SSL?   let others test them as well?   Also exactly what level of chrome ... 

 

[newcster2]

Did some more messing around.  I had to restart my computer for something else.  I decided to clear cache, cookies, hosted app data, media licenses.  I then restarted Chrome.  Now, on specifically https://www.google.com/ I have an alleged secure connection.  Of course, I am not logged in anymore because I cleared cache.  When I visit https://www.youtube.com/ I am having the same insecure connection warning.  Upon further inspection of the certificate details on both of the web pages, I can see that the one at youtube is the same old certificate I was getting before restarting and clearing browsing data.  The secure certificate on google is new and slightly differs from the insecure youtube one; the serial number, valid from, valid to, public key, public key parameters, subject alternative name, subject key identifier, and thumprint are different.  The insecure one also includes a detail called "Key usage", though every other detail seems to be the same, including the Authority key identifier.  When I'm at the secure google page, if I attempt to sign in, I am directed to a google sign in page that has the same insecure certificate as the youtube page. 

Edit: elsewhere in the overview of the page security, it shows that the secure page is using " (ECDHE_RSA with X25519) " Key exchange while the insecure pages are using " (ECDHE_ECDSA with X25519) ".

 

Not sure if this information is actually useful for determining whats going on or if I'm in danger or not, but it's all I can observe about the certificates of these pages and I figure I'd mention it.

 

I'm weary of logging in at these pages that chrome is telling me are insecure and at this point I'm just looking for an answer to whether or not I should actually be worried about this and if there's (with absolute certainty) anything I can do about it.