Skip to content
This repository has been archived by the owner on May 10, 2024. It is now read-only.

Brave incorrectly reports HTTP connection as secure (shows lock icon) #7403

Closed
taoeffect opened this issue May 7, 2023 · 4 comments · Fixed by #7420 or #8634
Closed

Brave incorrectly reports HTTP connection as secure (shows lock icon) #7403

taoeffect opened this issue May 7, 2023 · 4 comments · Fixed by #7420 or #8634
Assignees
@Brandon-T
Labels
bug QA Pass - iPad QA Pass - iPhone QA/Yes release-notes/include security
Milestone
1.51

Comments

@taoeffect
Copy link

taoeffect commented May 7, 2023
edited
Loading

Description:

When visiting an HTTP website, for example http://www.newlispfanclub.alh.net/forum/ http://www.newlispfanclub.alh.net/forum/viewtopic.php?p=22253#p22253 , Brave shows the connection as secure even though it's not an HTTPS connection.

Steps to Reproduce

  1. Visit http://www.newlispfanclub.alh.net/forum/ http://www.newlispfanclub.alh.net/forum/viewtopic.php?p=22253#p22253

Actual result:

IMG_7464
IMG_7465

Expected result:

For the lock icon to be replaced with some sort of not-lock icon and a clear warning shown either in the URL bar or somewhere else.

Reproduces how often:

Easily reproduced.

Brave Version:

  • Can you reproduce this issue with the most recent build from TestFlight? Don't know.
  • Can you reproduce this issue with the previous version of the current build from TestFlight? Don't know.
  • Can you reproduce this issue with the current build from AppStore? Yes.

Device details:

iOS 16.4.1 (a)

Website problems only:

  • did you check with Brave Shields down? Irrelevant
  • did you check in Safari/Firefox (WkWebView-based browsers)? Yes, Safari shows "Not Secure"

Additional Information
@diracdeltas
Copy link
Member

cc @Brandon-T @iccub - i feel like i've run into this before

@Brandon-T
Copy link
Collaborator

image

Hmm weird. The lock icon is definitely the red warning icon for me.

I'll try to reproduce it some more and see what's going on.

@taoeffect
Copy link
Author

Oops, I also get the red circle when visiting http://www.newlispfanclub.alh.net/forum/

Try visiting this instead: http://www.newlispfanclub.alh.net/forum/viewtopic.php?p=22253#p22253

@Brandon-T Brandon-T mentioned this issue May 9, 2023
Merged
11 tasks
iccub pushed a commit that referenced this issue May 9, 2023
@Brandon-T
Fix #7403: Fix ServerTrust notification to update the URL bar (#7420)
b456f7f 
Server Trust does not post a notification if the trust itself hasn't changed. Problem is that the trust on NTP is the same as on an HTTP site. So visiting an HTTP site takes the same trust as on NTP, which is wrong. To fix this, we post a notification ourselves to let us know that the URL changed but the trust stayed the same.
This in turn causes the revalidation to happen.
@iccub iccub added this to the 1.51 milestone May 9, 2023
iccub pushed a commit that referenced this issue May 9, 2023
@Brandon-T @iccub
Fix #7403: Fix ServerTrust notification to update the URL bar (#7420)
afb41c6 
Server Trust does not post a notification if the trust itself hasn't changed. Problem is that the trust on NTP is the same as on an HTTP site. So visiting an HTTP site takes the same trust as on NTP, which is wrong. To fix this, we post a notification ourselves to let us know that the URL changed but the trust stayed the same.
This in turn causes the revalidation to happen.
@hffvld
Copy link
Collaborator

hffvld commented May 10, 2023

Verified on iPhone 14 and iPad Air using version(s):

Device/OS: iPhone 14 [iOS 16.4.1] and iPad Air [iPadOS 16.4.1]
Version: 1.51 (23.5.10.20)
BraveCore: 1.51.110 (113.0.5672.77)

STEPS:

  1. Launch Brave
  2. Go to http://www.newlispfanclub.alh.net/forum/ > Verify
  3. Go to http://www.newlispfanclub.alh.net/forum/viewtopic.php?p=22253#p22253 > Verify

ACTUAL RESULTS:

  • Verified "alert" icon is shown instead of a "lock" in the search bar for http websites
1 2
1 2

@Uni-verse Uni-verse mentioned this issue Jul 18, 2023
Closed
@Brandon-T Brandon-T mentioned this issue Jan 9, 2024
Merged
11 tasks
@soner-yuksel soner-yuksel mentioned this issue Jan 9, 2024
Closed
arthuredelstein pushed a commit to brave/brave-core that referenced this issue Feb 13, 2024
@Brandon-T
Fix brave/brave-ios#7403: Fix ServerTrust notification to update the …
04d8d8e 
…URL bar (brave/brave-ios#7420)

Server Trust does not post a notification if the trust itself hasn't changed. Problem is that the trust on NTP is the same as on an HTTP site. So visiting an HTTP site takes the same trust as on NTP, which is wrong. To fix this, we post a notification ourselves to let us know that the URL changed but the trust stayed the same.
This in turn causes the revalidation to happen.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Brandon-T Brandon-T

Labels
bug QA Pass - iPad QA Pass - iPhone QA/Yes release-notes/include security
Projects
None yet
Milestone
1.51
6 participants
@taoeffect @diracdeltas @Brandon-T @iccub @Uni-verse @hffvld