2

I've recently decided to give this hosts file a try.

Just after adding these entries on my machine I've noticed that HTTPS connection is insecure on banking sites and PayPal. Chrome shows a red padlock and warns about insecure scripts. I've tried to find mixed content scripts using Inspector, but I haven't found any - all scripts are either loaded over HTTPS or added by Chrome extensions.

Chrome HTTPS warning screenshot

Removing new entries from the hosts file fixes this. What's interesting is that only some machine+browser pairs are affected:

  • My main Windows 10 machine, Chrome 47: ✘ insecure
  • Same machine, Chrome updated to 48: ✘ insecure
  • Same machine, another instance of Chrome 47, no extensions: ✘ insecure
  • Same machine, Firefox 43: ✔ secure
  • Android 5.1 smartphone, Chrome 47: ✔ secure
  • Another Windows 10 machine, Chrome 47: ✘ insecure

What's wrong with Chrome on Windows? How do I diagnose which entry causes this issue? Is there any better method than bisecting that hosts file?

Here's mbank.pl certificate information from Chrome 47:

Certificate information screenshot Certificate information screenshot

It seems that all four affected sites that I'm aware of:

have one thing in common: they use Symantec certificate. SSL Labs test confirms that it's correct.

Improve this question
10
  • What's the certificate information say? What you've blocked may be relevant too
    – Journeyman Geek
    Commented Jan 25, 2016 at 23:36
  • 1
    Because hosts wasn't meant to block content. You have Symantec software installed that's what has broken https not your hosts file changes. Firefox only works because it uses its own certificate store which Symantec hasn't infected
    – Ramhound
    Commented Jan 26, 2016 at 0:29
  • @JourneymanGeek, check the first link in my question for the hosts entries. I've added cert details.
    – gronostaj
    Commented Jan 26, 2016 at 9:49
  • @Ramhound, there is no Symantec software on these machines and there never was. I have installed OSes myself, so I'm also sure I don't have any manufacturer crapware. It's a good point, though, that all affected sites I'm aware of use Symantec certificate.
    – gronostaj
    Commented Jan 26, 2016 at 9:56
  • Might be related to googleonlinesecurity.blogspot.sg/2015/10/… and arstechnica.com/security/2015/10/… the second link would be core of an answer if it was june... did google start blacklisting symantec early?
    – Journeyman Geek
    Commented Jan 26, 2016 at 10:24

1 Answer 1

Reset to default
1

Chrome 48 actually has a new feature for debugging mixed content issues.

  1. Open the connection security panel and click Details:

    Connection security panel

  2. This opens a Security Overview panel; click View requests in Network Panel:

    Security overview panel

  3. Reload the page to show the mixed content elements:

    Mixed content elements

Improve this answer
1
  • I've tried this on two affected sites and the list was empty. (Yes, I have refreshed)
    – gronostaj
    Commented Jan 26, 2016 at 9:47

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .