chromium-browser: ERR_CERTIFICATE_TRANSPARENCY_REQUIRED for Symantec certs

Probably affects Trusty, Yakkety and Zesty too, as they also have chromium 53.

Yes it affects Trusty, in Linux MINT too.

Status changed to 'Confirmed' because the bug affects multiple users.

From one day to another it tells me half of my websites would use invalid certificates. The bug report for chrome describes it quite well as a ticking time bomb. Would be great to see 53 replaced quickly with 54 in mainline ubuntu.

Same here, is there a workaround (disable transparency checking in chrome for now)?

A dirty workaround: disable NTP and set system date a few days back.

it seems you can also open developer tools and find a direct link to one of the rejected URLs, if you then attempt to directly access that link you will be given the option to temporarily allow the URL, at which point you will be able to view pages that contain the rejected certificate.
a horrible workaround as well....

If you're in need of an immediate workaround, it's possible to disable this check for individual sites by e.g.:

$ echo '{"CertificateTransparencyEnforcementDisabledForUrls": ["weebly.com"]}' \
| sudo tee /etc/chromium-browser/policies/recommended/workaround_1641380.json

Details: https://www.chromium.org/administrators/policy-list-3#CertificateTransparencyEnforcementDisabledForUrls

confirming on mint 18 mate.

Same error for me as well.
The Symantec Class 3 Secure Server CA - G4 is not in the chrome certificate store.

As a temporary fix, I just saved the cert to disc and imported it into chrome. You can get it here:
https://knowledge.symantec.com/kb/index?page=content&actp=CROSSLINK&id=INFO2045
Advanced Settings -> Https/SSL "Manage certificates"

I just hope Symantec hasn't been compromised or something...

Version 53.0.2785.143 Built on Ubuntu , running on LinuxMint 17.3 (64-bit)

Just hit this on a Trusty machine.

The Chromium bug that was linked in the description of this bug now contains a patch to reduce impact. It's not clear to me if the bug is a complete solution or not.

I don't know if upgrading to a new Chromium or applying that patch is a faster mitigation for affected users.

Can confirm that the #11 temporary fix works for me.

Version 53.0.2785.143 Built on Ubuntu , running on Ubuntu 16.04 (64-bit)

The bug is because the build is older than 10 weeks: https://chromium.googlesource.com/chromium/src/net/+/master/cert/ct_policy_enforcer.cc#39

Could we perhaps just get the same build packaged again?

Also affects every let's encrypt certificate : https://letsencrypt.org/

Version 53.0.2785.143 Built on Ubuntu , running on Ubuntu 16.04 (64-bit)

On 14.11.2016 08:40, jof wrote:
> The bug is because the build is older than 10 weeks:
> https://chromium.googlesource.com/chromium/src/net/+/master/cert/ct_policy_enforcer.cc#39
>
> Could we perhaps just get the same build packaged again?
>
+1 for this solution. Then we have 10 weeks to get it fixed the right way.

+1

+1

Affects AWS console login as well: https://us-west-2.console.aws.amazon.com/console/home?region=us-west-2
Version 53.0.2785.143 Built on Ubuntu , running on Ubuntu 16.04 (64-bit)

Effects Maxcdn as well: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
Version 53.0.2785.143 Built on Ubuntu , running on Ubuntu 16.04 (64-bit)

>The bug is because the build is older than 10 weeks: >https://chromium.googlesource.com/chromium/src/net/+/master/cert/ct_policy_enforcer.cc#39

>Could we perhaps just get the same build packaged again?

+1 to this also, seems a perfect solution while we wait for a new package to get built and accepted...

I'm affected by this on 16.04
chrome 53.0.2785.143
Coworker on 14.04 KDE, same version of chrome is unaffected

Also effects:
https://tumblr.com
https://www.meetup.com

Also confirmed on Trusty and Xenial.

Yes, this seems to affect sites that use CDN's even if the main domain certificate is not affected. It appears most major CDN's are using these family of certificate providers which as a result affects any site that uses a major CDN.

Other sites affected (Xenial): amazon.de
In addition my banks' online banking portal.

Thawte certificates are not accepted: https://life.ru

https://Mint.com

http://pnc.com

jeez..I can't access any financial info through my browser anymore.. Thank goodness I can thru my phone

Quick reminder that Firefox does not suffer from this bug, if you need a desktop browser to use.

I'm not sure how safe of a workaround this is, but starting chromium with --ignore-certificate-errors flag allows all the content to load properly.

This is not a bug with chrome. It is a bug with symantec's certificate issuance systems.

Thanks for the workarounds and to those working on the updated package.

This also affects GeoTrust SSL CA - G3 as used by many U.S. Government sites:

preview.cbp.gov
beta.ready.gov
wcmaas.homelandsecurity.gov
www.uscg.mil
www.safecomprogram.gov
preview.fleta.gov
www.llis.gov
www.biometrics.gov
beta.tsa.gov
preview.disasterassistance.gov
preview.fletc.gov
alpha.uscis.gov
preprod-selfcheck.uscis.gov
preview.uscis.gov
beta.uscis.gov
www.uscis.gov
my.uscis.gov
preview-everify.uscis.gov
www.infopass.uscis.gov
infopass.uscis.gov
everify.uscis.gov
www.floodsmart.gov
agents.floodsmart.gov
www.agents.floodsmart.gov
preview.ice.gov
www.citizencorps.gov
ics-cert.us-cert.gov
www.ics-cert.us-cert.gov
www.buildsecurityin.us-cert.gov
preview1.us-cert.gov
buildsecurityin.us-cert.gov
apps.fema.gov
careers.fema.gov
tdl.apps.fema.gov
beta.fema.gov
preview.fema.gov
www.nfip.fema.gov
tdl.integration.fema.gov
integration.fema.gov
preview-careers.fema.gov
wcmaas.dhs.gov
mobilecoe.dhs.gov
mock-my.uscis.dhs.gov
preview-studyinthestates.dhs.gov
cisombvos.dhs.gov
sharedservices.dhs.gov
nccic.dhs.gov
carwash.dhs.gov
www.llis.dhs.gov
www.cyber.st.dhs.gov
preview.dhs.gov

I have tried recompiling the chromium package from source on ubuntu 16.04 and this resolves the issue (for another 10 weeks)
So the fix suggested on #22 does work

@visred: it is a bug in Chromium. There are many sites with valid CT entries that are getting flagged and cannot be visited.

The patch is here: https://chromium.googlesource.com/chromium/src.git/+/ec8e431e9a0f80ace76368ce7edce006f3d409f2

Good News =) Thanks
Any idea on ETA ?
Shouldn't be too long I think.

Until the package is not fixed you can use builds from https://launchpad.net/~canonical-chromium-builds/+archive/ubuntu/stage

This PPA does the job, thank you!

That PPA has a very stern warning on it. Ignore it at your peril.

On Tue, Nov 15, 2016 at 5:32 AM, Marc Pignat <email address hidden>
wrote:

> This PPA does the job, thank you!
>
> --
> You received this bug notification because you are a bug assignee.
> https://bugs.launchpad.net/bugs/1641380
>
> Title:
> chromium-browser: ERR_CERTIFICATE_TRANSPARENCY_REQUIRED for Symantec
> certs
>
> Status in chromium-browser package in Ubuntu:
> Fix Committed
>
> Bug description:
> Chromium browser in xenial no longer trusts Symantec issued
> certificates. See [1].
>
> 1. https://bugs.chromium.org/p/chromium/issues/detail?id=664177
>
> Ubuntu release: 16.04
> chromium-browser: 53.0.2785.143-0ubuntu0.16.04.1.1254
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1641380/+
> subscriptions
>

Sorry, I changed the status by accident, it's still not released.

Any ETA on the release?

The chromium package in canonical-chromium-builds/stage PPA works for me. A unstable browser is better than one that cannot access most of my websites.

Is there anything we can do as users to help get this fix pushed out? Does it need to be tested?

pwaring I think fix-committed state means that a patch has been committed to ubuntu repository, then automatic test are run on it and qa, et all, if there are no regression it will be released.
If things goes bad then a new patch should be committed, and so. (I guess it works something like this)
I would prefer if maintainer had committed chromium 54, tought

This bug was fixed in the package chromium-browser - 53.0.2785.143-0ubuntu0.14.04.1.1145

---------------
chromium-browser (53.0.2785.143-0ubuntu0.14.04.1.1145) trusty-security; urgency=medium

  * debian/patches/defang-ct-timebomb: backport TLS cert invalidity based
    on build-time. (LP: #1641380)

 -- Chad MILLER <email address hidden> Mon, 14 Nov 2016 10:06:44 -0500

Yay! Fixed for me on all three of my computers. Thanks!

Seems fixed for me on Ubuntu 16.04

fix came thru for mint 18, works perfect. Thanks Chad

Thanks for the quick fix package maintainer(s)!
On Nov 16, 2016 4:26 PM, "calexil" <email address hidden> wrote:

> fix came thru for mint 18, works perfect. Thanks Chad
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1641380
>
> Title:
> chromium-browser: ERR_CERTIFICATE_TRANSPARENCY_REQUIRED for Symantec
> certs
>
> Status in chromium-browser package in Ubuntu:
> Fix Released
>
> Bug description:
> Chromium browser in xenial no longer trusts Symantec issued
> certificates. See [1].
>
> 1. https://bugs.chromium.org/p/chromium/issues/detail?id=664177
>
> Ubuntu release: 16.04
> chromium-browser: 53.0.2785.143-0ubuntu0.16.04.1.1254
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1641380/+
> subscriptions
>

Thanks to Chad et al. for the fix and to commentators for the workarounds.

Working for sites I observed including those using GeoTrust SSL CA - G3.

Note that the updated package has not yet reached all mirrors.

Still not working for me :/
Any suggestion of which repository should I be using?

My Chromium version is still 53.0.2785.143 Built on Ubuntu , running on Ubuntu 14.04 (64-bit)

@motagirl2 check that apt-cache policy chromium-browser shows the version 53.0.2785.143-0ubuntu0.14.04.1.1145 as available, if it's not then most likely you need to activate your -update repositories.

Works now, thanks!

This doesn't seem fixed on Xenial, using 53.0.2785.143-0ubuntu0.16.04.1.1257:

chromium-browser (53.0.2785.143-0ubuntu0.16.04.1.1257) xenial-security; urgency=medium

  * debian/patches/defang-ct-timebomb: backport TLS cert invalidity based
    on build-time. (LP: #1641380)

 -- Chad MILLER <email address hidden> Mon, 14 Nov 2016 10:06:44 -0

and I'm still seeing the errors (e.g. on console.aws.amazon.com)

Raphael, console.aws.a.c works for me. Please verify your old processes
exited with "ps" or by rebooting.

Ah right, there were chromium processes still running even after closing and restarting it.

Still hitting this bug on Trusty. chromium-browser 53.0.2785.143-0ubuntu0.14.04.1.1145.
Is there any way to temporarily disable CT for _all_ sites via corporate policy?

Yes, it seems like I just had a stale Chromium process running. Everything is indeed fixed now.

I couldn't see amazon.co.jp and other sites due to this bug, and fixed it by update. Thank you!!

I am running 16.10 and all packages are up to date.
Running Chromium Version 53.0.2785.143

But I still see the same error.

In facts chromium-browser was already up to date and the error started happening today with www.amazon.com and I am quite sure the site worked ok yesterday

suggestions?

Same for me bug is back with the same behavior:

Version 53.0.2785.143 Built on Ubuntu , running on Ubuntu 16.10 (64-bit)

Unable to open:
https://www.microsoft.com/de-de/software-download/windows10

I have the same issue with 53.0.2785.143-0ubuntu1.1307 on 16.10 (yakkety).

The issue is fixed by the Chromium 54 build in the ~canonical-chromium-builds PPA.

Same here. Yesterday everything was fine. Today I want to go to Twitch an received this error.

From my Chromium about: "Version 53.0.2785.143 Built on Ubuntu , running on Ubuntu 16.10 (64-bit)"

Using the same Chromium version on Ubuntu 16.4 without any problems so far.

This was fixed for a while, but came back.

53.0.2785.143 (Developer Build) Built on Ubuntu , running on Ubuntu 16.10 (64-bit)
Ubuntu 16.04

I was forced to migrate to ubuntu 16.04 from 14.04 just to get this fixed, since 14.04 is still supported please make sure the fix also gets there.

same problem on: Version 53.0.2785.143 Built on Ubuntu , running on Ubuntu 16.10 (64-bit)

Seeing this again with e.g.:

Package: chromium-browser 53.0.2785.143-0ubuntu1.1307
URL: https://www.amazon.com/
Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network,
        CN=Symantec Class 3 Secure Server CA - G4
Issued On: Sunday, October 30, 2016 at 5:00:00 PM
Expires On: Sunday, December 31, 2017 at 3:59:59 PM
SHA-256 Fingerprint: 6A A0 AB 97 D0 F9 F1 50 58 96 31 3B E2 37 2D C3
                     94 BD 42 77 57 F6 BD B6 2D DE 80 ED 54 D4 19 0D
Error: NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED

The last upgrades on my system (16.10):

liboxideqt-qmlplugin:amd64 (1.18.5-0ubuntu0.16.10.1, 1.19.4-0ubuntu0.16.10.1), liboxideqtquick0:amd64 (1.18.5-0ubuntu0.16.10.1, 1.19.4-0ubuntu0.16.10.1), liboxideqtcore0:amd64 (1.18.5-0ubuntu0.16.10.1, 1.19.4-0ubuntu0.16.10.1), oxideqt-codecs-extra:amd64 (1.18.5-0ubuntu0.16.10.1, 1.19.4-0ubuntu0.16.10.1)

After this the certificate errors occurred. Coincidence?

Also every second YouTube video fails now. Could that be related with the certificate error? Sorry, just guessing.

@Oliver, it's actually https://codereview.chromium.org/2511583002. Mostly this:

"In particular, certificates issued by Symantec fail to work if it's more than 10 weeks after the build date"

There's a build in the ~canonical-chromium-builds PPA that has the fix:

Changelog

chromium-browser (53.0.2785.143-0ubuntu2.16.10.1323) yakkety-security; urgency=medium

  * debian/patches/defang-ct-timebomb: backport TLS cert invalidity based
    on build-time. (LP: #1641380)

 -- Chad MILLER <email address hidden> Mon, 14 Nov 2016 10:06:44 -0500

https://launchpad.net/~canonical-chromium-builds/+archive/ubuntu/stage/+sourcepub/7137607/+listing-archive-extra

@Haw

FWIW even if it fixes the issue, the Chromium 54 build on that PPA seems quite unstable for me, many tabs crash while loading the page.

@Alberto, the link above has packages for Chromium 53 build with said fixes.

Thank you for your quick response. I just add this to my system:

sudo add-apt-repository ppa:canonical-chromium-builds/stage

The certificate error now has disappeared.

But also with the 54.0.2840.100-0ubuntu0.16.10.1326 version I can't watch videos on Twitch with Chromium. I only see a message that a Plug-In can't be loaded. Maybe another issue. Amazon.com seems to crash. Anyway thank you for your help so far.

@hloeung if I install the deb files mentioned in your link, such as chromium-browser-l10n_53.0.2785.143-0ubuntu2.16.10.1323_all.deb, will they be replaced when newer (official) files are released or will I have to uninstall them?

Definitely impacting me on Yakkety. There are so many websites that are now not working (amazon.com, wunderground.com, lowes.com as a small set) that it's not really possible to use chromium any more. I switched to official Google Chrome which doesn't have this issue.

Installing the deb package from the link mentioned in #68 doesn't resolve the issue for me.
I tried moving to unstable chromium 54 but it just crashes on every second page and is therefore also not an option for me.

Is this again the problem of the 10 weeks old build? Is there any chance that this can be fixed just like the last time this error appeared?

Any instructions for a workaround are appreciated:

1) Installing the certificate from https://knowledge.symantec.com/kb/index?page=content&actp=CROSSLINK&id=INFO2045 as suggested in an earlier comment doesn't work: pasting the certificate into a file and importing it into Chromium produces the error "The Private Key for this Client Certificate is missing or invalid."

2) As noted above, Chromium 54 builds are extremely crashy so not really an option.

3) Manually installing individual DEBs seems liable to break things, but if that's a workable path, I'm willing to give it a try. However, instructions which DEBs to install and whether any additional steps are needed would be appreciated.

Thanks!

54.0.2840.100-0ubuntu0.16.10.1326 from 'ppa:canonical-chromium-builds/stage' (on Yakkety) hasn't crashed yet. (Running for 10 minutes now.) Beats having to switch to FF for some pages.

Okay, that didn't take long. My slack windows started to "Aw snap!" within another 10 minutes.

Both the Xenial [*1] version and the version from Haw Loeung (hloeung) [*2] work fine though. Where the second is better because the broken Xenial version is lower and would be auto-replaced with the broken Yakkety build until a fixed version is uploaded.

Answering w2vy's (tom-moulton) question: a fixed version will likely be still higher and auto-update over these manually installed files. In short: no manual uninstall will have to be performed.

[*1]
http://nl.archive.ubuntu.com/ubuntu/pool/universe/c/chromium-browser/chromium-browser_53.0.2785.143-0ubuntu0.16.04.1.1257_amd64.deb
http://nl.archive.ubuntu.com/ubuntu/pool/universe/c/chromium-browser/chromium-browser-l10n_53.0.2785.143-0ubuntu0.16.04.1.1257_all.deb
http://nl.archive.ubuntu.com/ubuntu/pool/universe/c/chromium-browser/chromium-codecs-ffmpeg-extra_53.0.2785.143-0ubuntu0.16.04.1.1257_amd64.deb

[*2] from: https://launchpad.net/~canonical-chromium-builds/+archive/ubuntu/stage/+sourcepub/7137607/+listing-archive-extra
https://launchpad.net/~canonical-chromium-builds/+archive/ubuntu/stage/+files/chromium-browser_53.0.2785.143-0ubuntu2.16.10.1323_amd64.deb
https://launchpad.net/~canonical-chromium-builds/+archive/ubuntu/stage/+files/chromium-browser-l10n_53.0.2785.143-0ubuntu2.16.10.1323_all.deb
https://launchpad.net/~canonical-chromium-builds/+archive/ubuntu/stage/+files/chromium-codecs-ffmpeg-extra_53.0.2785.143-0ubuntu2.16.10.1323_amd64.deb

Answering Eloquence's (eloquence) question:
- find the broken packages on your system:
  $ dpkg -l | grep chromium
- select and download the replacements from here:
  https://launchpad.net/~canonical-chromium-builds/+archive/ubuntu/stage/+sourcepub/7137607/+listing-archive-extra
  (pay attention to your architecture (arm vs amd64))
- install the downloaded files:
  $ sudo dpkg -i THE_DOWNLOADED_FILES...

P.S. I'm a bit puzzled that the fix for Xenial didn't get into Yakkety immediately. Now I ran into this issue on two separate occasions.

s/the broken Xenial version is lower/the fixed Xenial version is lower/

(sorry)

+1 to #76, be nice to revert to stable Chromium ASAP though

Agree with above: Build 54 worked for this bug, but Chromium is very unstable in other respects.

Confirmed that chromium-browser_53.0.2785.143-0ubuntu2.16.10.1323_amd64.deb and the two others mentioned in #77 fix a custom atlassian.net site.

This cert is an Authorities Cert. Cut/paste into file and import as Authorities:

 https://knowledge.symantec.com/kb/index?page=content&actp=CROSSLINK&id=INFO2045

That did the trick. Thank you, Dandapani! For those still experiencing the issue, try following the instructions in #11 / #82. This will fix it for sites using the Symantec CA but not for the GeoTrust ones e.g. #32. Does anyone have a link handy for importing the Geotrust CA?

Fix in #11/#82 fixed it for me as well...at least for sites like Amazon. (Running 16.10)

#82 fixed issue with , but not with "Symantec Class 3 EV SSL CA - G3".

Here is a link to intermediate certificate Symantec G3:

https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR2061

It fixed connection to my bank.

I am affected, too. Manually importing the certificate as suggested in #82 has helped in sites like Amazon.com, but does not solve the problem.

I am experiencing issues with this certificate:
===
Common Name (CN) RapidSSL SHA256 CA
Organization (O) GeoTrust Inc.
===

Although before Chromium update it had worked normally and also it is working right now in Firefox.

Also this one:
===
Common Name (CN) GeoTrust EV SSL CA - G4
Organization (O) GeoTrust Inc.
===

I think that the proposed 'fix' of just importing the Symantec certs isn't a very smart move, chrome requires transparency for a reason (you can read about it following the links in the original ticket).

Debian just updated to Chromium 55

https://packages.debian.org/stable/web/chromium

So this should come soon to Ubuntu.

The Build on #68 does prevent the error but in/shortly after the loading of the page it crashes the tab. Display: Aw, Snap! without any hint why

Tested with codingame.com (Crashes only after login) and amazon.(com|de)
Tested with incognito modus, no active plugins.

When will chromium 55 be available?

The new Zesty Chromium 55 packages are much more stable than 54 for me. Haven't noticed any issues yet! They also install cleanly on 16.10.

https://launchpad.net/~canonical-chromium-builds/+archive/ubuntu/stage/+packages

installed the freshly build amd64 yakkety .debs from the link in #91 and its working again now.

There were build failures for yakkety (and others), so there could be lingering issues with those binaries

Installed 55.0.2883.75-0ubuntu0.16.10.1327 now.

Works so far but what surprises me is the following error on Twitch now:

"No supported video backend avaiable; Flash is not installed"

I could use Twitch before without problems.

I see @cmiller reopened this bug without comment. Is the Ubuntu team researching an issue preventing a successful fix at this time?

Chromium v55 is in testing. The only blocker is that Flash seems to have stopped working. More soon.

is something related to problem on displaying message like this https://chromeunboxed.com/googles-chrome-55-hasnt-killed-flash-yet/ ?

@Daniele, no, that's not it. Google Chrome and Chromium behave differently, on same version.

This is madness. A lot of sites are cut, like amazon, and others. I tried the version 55 from staging but it doesn't work properly yet (sites like amazon and youtube and up in "aw snap!"). Anyone knows when to expect a fix?

I think I found the cause of the flash-not-running blocker. A few hours to build, a few to test further, and then maybe released in a few after that.

Please keep bug reports useful. Workarounds and hand-wringing make it hard to keep track of bugs.

Why is this still broken on yakkety? Fix committed *30 days ago*? Literally half the internet is broken. This is the longest I can remember a showstopper bug going unfixed in the 10+ years I have been using Ubuntu.

@cmiller are you talking about #82 and #85 ?

Chromium 55.0.2883.75-0ubuntu0.16.10.1327 fixes this bug but has other video related problems (on Twitch if you don't enable Flash explicitly like #94 or other Flash websites even if you enable it maybe fixed on #100 but not released yet I assume)
Why not release a Chromium 53 with CT timebomb disabled (like Debian) right now and take time to fix the Chromium 55 build ?
It's really a showstopper bug like @rlrevell-k said for Ubuntu yakkety users, I thought it would have been fixed (even intermediately) much sooner.

Flash not working is less of a show stopper than half of the internet not working because of trust issues. (Who needs flash anyway? I use it maybe once a month, but now I can't do my christmas shopping in Chromium because amazon doesn't work no matter what.) So if you can't get flash to work, I'd recommend just pushing the new chromium anyway. :-)

why is the bug is still not fixed on yakkety ? still using chromium 53.0.2785.143-0ubuntu1.1307

For those in a lurch because of this error, you can always install Chrome (the non-open-source version) and use it until this situation is cleared up. Chrome and Chromium seem to be able to exist side-by-side, and when this is resolved you can remove it or switch back to Chromium and just leave it for the next crisis. Not ideal, and definitely not for those who use Chromium to avoid proprietary software, but a workaround that lets you keep your workflow going without switching to Firefox.

Just installed yakkety-updates/universe chromium-browser 55.0.2883.87-0ubuntu0.16.10.1328

I'm no longer shut out of Amazon (Cloudfront) nor IBM intranet sites. I'll find out if it's a permanent fix ten weeks from now.

Certificate transparency can be tested by browsing to https://npr.org

For broken, this will display an intermediate full-page warning with a Back to safety action button

Other sites may have difficulty in loading resources and display huge unscaled images, garbled content or missing JavaScript functions
- this is likely to happen if proceed (Unsafe) is selected
- the site may use a large number of domain names making it practically impossible to browse the site

hsts sites cannot be browser at all.

Another complication is that Chromium 55 vide h.264 is currently broken, too
bug 1650730

As of 161230, this defect is still present for Ubuntu 16.10 Yakkety

Chad, thanks for your work on this. 55.0.2883.87 (Developer Build) Built on Ubuntu, running on Ubuntu 16.04 (64-bit) working everywhere I've visited.

Richard, NPR's site may not be a good test since https://npr.org/ uses a wildcard cert for *.npr.org with no alternate name for npr.org and while https://www.npr.org/ works fine, the site redirects to http://npr.org/

An example of a site done well by someone competent is Troy Hunt's invaluable https://haveibeenpwned.com/ which has Certificate Transparency for the site and several resources (Google) as well as CloudFlare.

Actually, it does work for latest 16.10

dpkg --status chromium-browser | egrep "(V|Pa)"
Package: chromium-browser
Version: 55.0.2883.87-0ubuntu1.16.10.1330

h.264 works, too: bug 1650730

Tested at:
https://www.meetup.com
https://www.youtube.com/html5

Hi Chad, thanks for this, is this fix going to be released in zesty soon? It seems to have been stuck in zesty-proposed for some time... also, is there a reason that the updates are going to yakkety first before zesty?