“Identity not verified” issue in Chrome

I ran into an interesting issue with a site that I’m involved with. This week we started to receive reports of a warning in Chrome that says “Identity not verified”. This is for a site that has been running happily for quite some time. I’m writing this in November 2014.

At first the warning only happened for some users, and only in Chrome, making it more difficult to track down. Furthermore, the warning message in Chrome didn’t give many clues as to the real issue.

I theorized that it had something to do with a recent update from Chrome, but at first I wasn’t able to prove that. Here’s what the message looked like:

You can tell that something is wrong, but you can’t really tell what it is. After some research and eventually becoming suspect that it was Chrome 39 that introduce the issue, we were able to find out the authoritative answer for this.

A blog post from the Chrome team in September provides the story:

That’s why Chrome will start the process of sunsetting SHA-1 (as used in certificate signatures for HTTPS) with Chrome 39 in November. HTTPS sites whose certificate chains use SHA-1 and are valid past 1 January 2017 will no longer appear to be fully trustworthy in Chrome’s user interface.

Notice that the certificate expires September 2017 and that it is signed and hashed with SHA-1.

Well, it’s November, we’ve just received the Chrome 39 update, and we have a SHA-1 certificate that is valid past January 1, 2017. That’s us!

SHA-1 (secure hash algorithm) has been used for years to sign and hash various objects, including SSL certificates. In 2005 it was determined to be insecure.

As a result, Microsoft and Mozilla have both announced plans to stop supporting SHA-1 certificates in 2017. Google has announced that it will do the same in a phased way leading up to 2017. And, that’s exactly what happened here.

Chrome has started by showing warnings for SHA-1 certificates which have an expiration date that is past January 1st 2017. So, those with a SHA-1 certificate, who purchased it for a few years in advance, should see this warning in Chrome now.

I do appreciate Chrome being proactive in pushing for a more secure internet, but I’m not a fan of them dinging those with longer running certificates well in advance of the 2017 date. I’m currently in the processing of asking our certificate authority to replace our certificate, and I assume that they will do so, but those with longer running certificates also have the most invested into them with the most to lose. They could have waited at least another year before turning on this warning. In any case, it is good to update to SHA-2 and it’s a good end result.

This month is the beginning of when this should start to occur, but you should see more of these over the next couple years. Longer running certificates will be hit first, and then as we get closer, other certificates will receive the warnings. IE, Firefox, Safari and other browsers may start to issue warnings leading up to 2017.

So, if you have been impacted by this, and you’re a site owner, you should contact your certificate authority and ask for them to reissue your certificate using SHA-2 instead.

If you are a web user and you see this warning, you can contact the site owner to make sure that they are aware of the warning. The site is no less secure today than it was last month, but Google is starting to bring awareness to the less secure SHA-1 signed certificates.

21 Comments

  • Who issued your cert? GoDaddy and others have been warning about this change coming for awhile, and to re-key their certs. I'm curious just so I don't buy one from your issuer. :)

  • Hi Jeff. I better not throw them under the bus, except to say that it wasn't GoDaddy and it was a big player. The interesting thing is that we just upgraded the cert earlier this year after the HeartBleed Bug was discovered. So you would think that SHA-2 should have been used at the time.

  • Hi Scott,
    Greetings for the day! Hope you are doing well...
    I am a web user and need your help and expert advise on the following :-
    Till date, my online banking website was being verified by Verisign Class 3 and I have also installed Trusteer Rapport for additional safety.
    I updated Google Chrome recently (V.39.0.2171.65 m) & yesterday updated the Trusteer Rapport too. Now, I am noticing something very strange. My bank's webpage which I use for online banking says "Identity not verified" & this is happening not just in Google Chrome, but also in Microsoft Internet Explorer & Mozilla Firefox too. However, Trusteer Rapport icon is glowing green thereby meaning that there is no problem with the webpage.
    Also, the following message is displayed when I click the security padlock :-
    "The identity of this website is verified by avast! Web/Mail Shield Root but it does not have public audit records"
    I am using Avast Free antivirus home edition....Please advise if I need to be concerned for Malware/virus/keylogger/trojan on my system?? May I proceed with online banking in such a scenario??

    The following is my bank's online banking webpage :-
    https://online.ingvysyabank.com/netbanking/BANKAWAY?Action.RetUser.Init.001=Y&AppSignonBankId=IVBL&AppType=corporate&CorporateSignonLangId=001

    Your early response will be highly appreciated.
    Thank you very much in advance for your help.

    Regards,
    Sumit

  • Hi Sumit,

    As you pointed out, this is a different situation. The certificate is still SHA-1 but it expires in 2016 so it falls into a different camp.

    The not verified issue doesn't appear to be because of the certificate itself. Everything looks fine. You can see the status here: http://www.networking4all.com/en/support/tools/site+check/report/?fqdn=https%3A%2F%2Fonline.ingvysyabank.com

    Here's some more useful information on the status messages in Chrome:
    http://www.certificate-transparency.org/certificate-transparency-in-chrome

    However, that status message can also occur if other SSL/TLS settings aren't optimal, which I believe is the case here. At the time that I'm writing this, they have SSL3 enabled still, and TLS 1.2 not enabled. I'm not sure which ones cause Chrome and the other browsers to complain, but it's likely from one of those.
    https://www.ssllabs.com/ssltest/analyze.html?d=online.ingvysyabank.com&s=203.200.12.6&hideResults=on

    So this looks secure for the most part, and their identity is verified, but there are some tweaks that they can perform to get around all of the warnings.

    The browsers are taking more effort to bring awareness to the different levels of encryption and identity verification.

  • Hi again Scott,

    Thank you very much for your reply.! Its a good thing that the browsers are pushing for a better and safer networking environment especially where finances are involved.
    Please pardon me for sounding naive, but one thing I don't understand is why all of a sudden I began getting website verifications from 'Avast' when some days ago the same website when visited used to be verified by Verisign !!
    I see the following message displayed when I click the security padlock :-
    "The identity of this website is verified by avast! Web/Mail Shield Root but it does not have public audit records"
    I am using Avast Free antivirus home edition....and instead of Verisign Verification, I see Avast verification in all the installed browsers...
    I observed something unusual and couldn't really figure out where the problem was !!
    Please throw some light on this aspect too....Thanks again for your valuable time...

    Regards
    Sumit

  • Hi Sumit,

    It sounds to me like Avast is adding an extra layer of validation for you, and my assumption is that they recently made some changes which look different than in the past. I doubt the certificate itself has changed. It's probably something new from Avast. I don't know this, but that's my assumption. You could try disabling it temporarily to see what it looks like without Avast, and if what you see seems incorrect then I recommend sending Avast an email asking about it and finding out why they display what they do.

    Thanks,

    Scott

  • Hi again,
    I finally figured out why I was getting website verifications by Avast and felt appropriate to share this with you too...
    Actually, the Avast antivirus program version update added a new feature called as " Enable HTTPS Scanning" and "Scan SSL connections"
    I discovered that these options were checked and when they were disabled, I saw the regular Verisign Verifications appear again !!

    Now, I am undecided if I should let the Avast antivirus do the HTTPS scanning for me and provide me a certificate or may I rely on earlier resources like Verisign/Geo Trust/Cyber Trust etc.
    The positive thing is that an additional layer of security is offered by the antivirus SSL scanning function but a definite con is that only avast verification is visible whilst the regular Verisign Certificate is not shown....Another con could probably be if the antivirus itself is breached by a malware & shows a false sense of safety !!!

    What is your recommendation??

    Thanks for your time and contribution...

    Sumit

  • Hi Sumit,

    I came across the same problem as yours and bump into your post via google. I have a e-commerce site with Comodo SSL and works perfectly on other machines but only mine - same "verify by Avast" problem.

    I found the clue from Avast forum, more like what you have mentioned. But the thing that worry me is that Avast claims that making Avast the "root" CA actually enables them to decrypt and check https content. I'm not a security expert and don't know if it's really feasible. However, I can't convince myself that Avast can be honest and impeccable forever against hackers. Letting them be the man-in-the-middle for sensitive https content is simply a risk.

    I switched to another av ultimately...well, I might be bit too sensitive.

    Eva

  • Hello Eva,

    Its good to know that I am not the only one who got suspicious about the Avast verifications. However, I find that Avast upgrade has a lot of new things to offer which are by far much-much better than the other free Antiviruses.
    As I have mentioned in my earlier post, under Avast Antivirus settings, if you uncheck the options for enable HTTPS scanning and Scan SSL connections, you would not see the Avast certifications again. Rather, the usual certificates (which we regularly trust & see) will appear :- eg. Verisign, Digicert, GeoTrust, Cybertrust etc.
    Now, even I am not a security expert but instead a geek (lol)....I would still say that to do away with Avast was not a good decision of yours. The reasons why I say this are as follows :-
    1) Avast offers a good cover for both viruses and malware in the free version
    2) It is better rated as compared to every other free AV utility on offer
    3) Pretty fast as compared to others :- I have personally experienced Bullguard, Avira, McAfee, Norton, TrendMicro, Malwarebytes and Microsoft Security Essentials. After experiencing these, I reverted back to Avast for my machine
    4) It updates almost daily
    5) Now, with the recent upgradations, it offers https/ssl scanning & also scans your home network + router to detect any infection or safety issues.

    Having said that, I would suggest you the following :-
    1) Keep Avast AV but switch off the options enable https scanning and scan SSL connections
    2) By taking care of point 1 above, you will be rest assured with the usual certificates & prior to any high amount/sensitive transaction, you can enable the avast options temporarily and double check/be double sure about your site. This way you will be able to derive the benefit of extra layer of security offered by Avast AV
    3) Also, you can once again verify and check the authenticity of the certificate by using the below mentioned link as pointed out by Scott earlier :-
    http://www.networking4all.com/en/support/tools/site+check/

    Once, you do these steps, you should be good to go (I am also doing the same and proceed with transactions when I am content with the results of these steps)

    Hope this helps.

    Sumit

  • I just for off chat with Godaddy. Here's the dialog
    You're chatting with Robert.
    Francisco -
    Chrome is saying "Identity not verified". Can you fix this?
    Robert -
    Thank you for contacting live chat. My name is Robert. How can I help you today?
    Robert -
    What is the URL in question?
    Francisco -
    It's regarding the secure certificate
    Francisco -
    https://glenner.org
    Robert -
    Your certificate is a Standard Certificate. The Standard Certificate is Domain Control Validated and does not supply or verify the Identity of the certificate requestor. You would need a Premium Extended Validation for that type of information to be available in the certificate details.
    Francisco -
    How much does it cost?
    Francisco -
    I don't know how to upgrade it.
    Robert -
    The Price for an Extended Validation Certificate is $199.99. It can take up to 6 weeks to be issued. There is no way to upgrade. You must purchase a new certificate.
    Francisco -
    $200!? That's a lot! Alright, nevermind. We're a small non-profit.
    Robert -
    Ok, Let us know if you have any other questions. I hope you have a great weekend.

    .

  • Hi Francisco,

    There is the "real" issue of "Identity not verified" too, but the new issue that we'll start to see a lot of is the same error message, but it's referring to using SHA-1 and a 2016 or 2017 expiration code.

    I actually recently had another situation with a GoDaddy cert that starting giving the yellow warning and I asked their support how to re-issue the cert, and it was very straight forward. This particular one was also just the standard cert, which is easier to update. Within 20 minutes I had a new cert on the server, beginning to end.

    So, the person that you talked to may have been focusing on something else. If you just started getting the yellow warning then re-issue the cert using SHA-2 (or SHA2xx, like SHA256), and you should be good.

  • Just ran into this issue with an older site (client freaking out) and after a lot of digging found this gem!

  • I think there are actually two warnings you see. The first is about the lack of public audit records, AKA "Certificate Transparency"

    http://www.certificate-transparency.org/how-ct-works

    The second relates to SHA-1.

  • Hi Scott, thanks for the write up. I was googling on why the "identity not verified" statement popped up for a new site of mine. I put in an SSL cert that is signed by VeriSign. The cert shows that its using
    Signature algorithm: sha1RSA
    Signature hash algorithm sha1
    expires 2/12/2016

    The browser i am seeing this issue is on chrome Version 40.0.2214.111 m.


    I have also gone through the chromium blog that you linked in this blog. The chromium blog seems to point only on the visual displays of the alert levels that chrome version will be using for SHA1 used sites.


    Is the reason for the "identity not verified" tag on the chrome browser because of the usage of SHA1 algorithm? And if this is the cause of it, are you suggesting to get the SHA2 from the CA?


    Thanks in advance !!

  • Hi okram9999,

    Yes, it sounds likely that you're running into the same situation. Upgrading to SHA2 should do the trick. Your CA should give you permission to reissue your cert.

    Scott

  • Thanks for sharing. However I have the same problem with Google websites (Home page, Gmail, Translate, etc.). What should I do to fix this? Should I contact site owner (Google)?!

  • Hi Mehran,

    Are you in a country or a corporate network that may try to proxy the traffic? I get a nice green status on all of those three sites. If you continue to get that then I would contact them to confirm that the certificate is correct from your location. Maybe you're hitting a different CDN or set of servers that have an issue with the cert.

  • This started happening on some of our other sites, Chrome only, and it was driving me nuts til I found this page. Thanks Scott, you are a gentleman and a scholar!

  • Thanks for creating these notes and relevant page.

    Noticing MacOS Chrome 42 starting to complain about out production site (warning triangle on the SSL padlock - and clicking the warning displaying :
    "The identity of this website has been verified by Starfield Secure Certification Authority but does not have public audit records. The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it."

    Google search did not shed any light on the issue.
    I just hang up a GoDaddy SSL support chat - where the "SSL Expert" told me he had never heard of the problem, and suggested rekeying my cert. I explained to him rekeying a cert is a race against time as the old cert is revoked. He was pretty useless. Rekeying seems to be the only hammer they have and all problems are nails.

    Later, a "Bing" search dug up 10x articles on the same subject google search did - among which was your article, nailing the problem.

    I will now get another SSL cert for the same domain and transition into that, then ask for a partial refund from GoDaddy on the unused portion of the old and recently untrustworthy SSL cert.

    Thanks again for taking the time for documenting your research.

    M. D.

  • I'm getting this same error, but on a MICROSOFT site: https://account.live.com/!!! Apparently, the certificate for this site expires next year - I'm SUPER surprised that they haven't renewed it yet... and the certificate it is using is apparently a Japanese version of a MS cert. This comes after I was given warning by e-mail that my outlook account had a few suspicious sign-in attempts from Hong Kong yesterday... which do not appear on my account.live.com activity page when I go look at all the sign-ins and sign-in attempts.

    I've been running Malwarebytes Antimalware Premium, SpywareBlaster, Malwarebytes Anti-Exploit Premium, and ESET Smart Security 8, along with software and hardware firewalls on my modem, two-step verification on all major accounts of any sort, yada yada yada... should I be concerned?

  • Thank you thank you thank you, for two months now that I have this problem with the security certificate, but I did not find this information anywhere and so did not know how to solve it.
    Yesterday, after reading it I opened a ticket from my certificate provider, and in a matter of a few hours I had the new certificate with SHA-2.
    Everything works as it should.
    Pedro

Add a Comment

As it will appear on the website

Not displayed

Your website