Google researchers have found that Chrome is issuing “hundreds of millions” of HTTPS certificate error warnings per month when there is no actual attack taking place.
The search company is pushing the web towards 'HTTPS everywhere' by using icons and warnings in Chrome, which is now used by more than 2 billion people.
There are signs that more websites are enabling HTTPS by default, but false alarms could cause fatigue among Chrome users and undermine the push for more sites to enable HTTPS.
“Spurious warnings frustrate users, hinder the widespread adoption of HTTPS, and undermine trust in browser warnings,” the researchers note in a new paper.
The study was limited to Chrome users who had opted-in to sharing HTTPS error reports with the Chrome team, which received about a million reports per day over a year long period.
More than half of the 300 million certificate errors in the study are due to "non-attack network interception” or problems with software on the end-user device.
Microsoft faced similar communication challenges with security alerts; Windows Vista users felt bombarded by security alerts, causing many to chose to switch off warnings that were designed to protect them.
Google has started testing a series of new Chrome alerts that point users to the specific problem categories. One of the new warnings is that “Your clock is ahead”.
It started testing this several months ago, blocking sites in Chrome, which caused confusion among some Chrome users. The company now explains it found that incorrect system clock settings on end-user devices was a significant cause of HTTPS errors, which caused browser certificates to appear they were not valid. This was one of the biggest triggers for an error in Android and Windows devices.
The researchers aren’t sure why clocks are frequently misconfigured on devices but guessed that some users might be trying to get around software licensing restrictions or to cheat games.
The report also singles out government websites as the dominant source of errors caused by server misconfigurations. This is potentially worrying as governments, along with ISPs, are known to attack HTTPS connections.
Government-run websites account for 65 percent of the Google researchers’ list of “worst offenders” in terms of server errors, including revoked certificates.