Domain "Not secure" in URL, but listed in Security > 'Secure origins', after (bypass then) new LetsEncrypt cert

Description of the issue: URL/Awesome bar shows “Not Secure” still, even after Lets Encrypt cert appears in Inspector > Security panel
How can this issue be reproduced?

  1. From a domain or sub-domain under your control, run a site with a self-signed cert.
  2. Request the site in Brave
  3. Issue a certificate via Lets Encrypt, offer it in place of your self-signed cert
  4. Reload the page, load a new page of the domain/sub-domain
  5. Note that: Brave still shows “Not secure”, in Awesome/URL bar
  6. Open the inspection panel C+S+i > click into Security panel. Notice: domain under “Secure Origins”, even though the Awesome/URL bar still reports “Not secure

Make requests directly with curl to confirm that the LetsEncrypt cert is offered.

Expected result: Once the domain offers a valid cert, I should have a route to remove the Not Secure notice – or more specific information about the ongoing security concern.

Brave Version( check About Brave about:version): 1.69.168 Chromium: 128.0.6613.138 (Official Build) (64-bit)

Additional Information: This is probably ultimately an issue to take up with Chrome’s Security UX team, wisdom of not forking from their handling, ongoing evolution, of security-critical code paths.

1 Like