Description of the issue: URL/Awesome bar shows “Not Secure” still, even after Lets Encrypt cert appears in Inspector > Security panel
How can this issue be reproduced?
- From a domain or sub-domain under your control, run a site with a self-signed cert.
- Request the site in Brave
- Issue a certificate via Lets Encrypt, offer it in place of your self-signed cert
- Reload the page, load a new page of the domain/sub-domain
- Note that: Brave still shows “Not secure”, in Awesome/URL bar
- Open the inspection panel C+S+i > click into
Security
panel. Notice: domain under “Secure Origins”, even though the Awesome/URL bar still reports “Not secure”
Make requests directly with curl
to confirm that the LetsEncrypt cert is offered.
Expected result: Once the domain offers a valid cert, I should have a route to remove the Not Secure notice – or more specific information about the ongoing security concern.
Brave Version( check About Brave
about:version
): 1.69.168 Chromium: 128.0.6613.138 (Official Build) (64-bit)
Additional Information: This is probably ultimately an issue to take up with Chrome’s Security UX team, wisdom of not forking from their handling, ongoing evolution, of security-critical code paths.