Google, is that you?

I’ve dusted off the cobwebs from my Parallels installation and Windows XP virtual machine so I could try out Google Chrome.  The new, hawt, browser from Google.  I’ve heard that one of the benefits of using Chrome is that Google web apps, such as GMail and Google Reader, run much faster and tend to be more stable.  As an avid GMail and Google Reader user, I was eager to see how great the difference was.

So I fired up GMail and had a bit of a play around.  And yes, it does seem a touch faster, a bit snappier, than in other browsers.  I don’t think it’s life changing, in fact it’s barely noticeable.  What did alarm me, however, was what happened when I tried to navigate from GMail to Google Reader.  See the image below (click to enlarge).

As you can see, trying to navigate from GMail to Google Reader results in a really ominous warning about the identity of the site you are (attempting to) navigate to.  The text reads as follows.

You attempted to reach www.google.co.uk, but instead you actually reached a server identifying itself as www.google.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of www.google.co.uk. You should not proceed.

And…

When you connect to a secure website, the server hosting that site presents your browser with something called a “certificate” to verify its identity. This certificate contains identity information, such as the address of the website, which is verified by a third party trusted by your computer. By checking that the address in the certificate matches the address of the website, it is possible to verify that you are securely communicating with the website that you intended and not a third party (such as an attacker on your network).

In this case, the address listed in the certificate does not match the address of the website that your browser tried to go to. One possible reason for this is that your communications are being intercepted by an attacker who is presenting a certificate for a different website, which would cause a mismatch. Another possible reason is that the server is set up to return the same certificate for multiple websites, including the one that you are attempting to visit, even though that certificate is not valid for all of those websites. Google Chrome can say for sure that you reached www.google.com, but cannot verify that it is the same site as www.google.co.uk which you intended to reach. If you proceed, Chrome will not check for any further name mismatches. In general, it is best not to proceed past this point.

It’s worth pointing out that this clearly isn’t a Google Chrome problem, but rather a Google SSL problem.  They are trying to pass off a .co.uk domain with a .com SSL certificate.  Unfortunately, many users will not realise that this isn’t a nefarious attack.

The second thing of note is the error message itself.  It’s very, very well written.  It’s in plain English, presents the problem in a simple, understandable way, and also gives a bit of background as to what is going on.  So bravo on that point, Google.  But don’t stop there, with Google’s resources, you would have thought they’d have a significant amount of data on fake / expired SSL certificates.  They could put this to use to avoid false positives, such as this, and make the web not just a safer place (if you knew Google would identify a false certificate within a few minutes and broadcast it, preventing users from accessing the site, you’d certainly reconsider trying it) but also a more usable place.

What do you think about Google Chrome?

Read a usability review of Google Chrome.