More intel on Chrome and SSL
As promised I've looked a little more into the SSL behaviors in Chrome.
Chrome has a nice, strong interface regarding certificate errors. The browser presents a roadblock that you have to explicitly pass to access the page (similar to recent developments in, let's say, IE and Firefox), at the bottom of which you see two buttons, "Proceed anyway" and "Back to safety". If you select "Proceed anyway," then you can access the page, but now the https in the Web address is highlighted in red and has a red slash through it, and that reminder remains even while you're in the page. eWeek's Larry Seltzer has screen caps of a self-signed certificate so that you can see for yourself.
I feel the persistent indicator is a good innovation. Chrome makes it unambiguous that you're choosing to live with a certificate error, and it keeps a persistent reminder of this error on the screen while at the same time allowing access in case you need it.
I checked out domain mismatch (e.g. the cert is issued for www.mysite.com but is sitting on secure.mysite.com) and untrusted root and saw similar behaviors for each. The message for domain mismatch reads,
This is probably not the site you're looking for!
You attempted to reach secure.mysite.com but instead reached the server identifying itself as www.mysite.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of www.mysite.com. You should not proceed.
And then the same two buttons as in the previous example. I'm guessing we'll see the same for an expired cert, but I don't have one handy to look at. If anyone out there has looked at Chrome on an expired cert, let me know what you saw.
Next I'll cover how Chrome treats mixed content security (i.e. SSL-encrypted and -unencrypted content on a single page).