Mobile Brave SSL/TLS certificate trust issue

I’ve submitted this issue long ago but I’m still seeing the red warning next to mobile (IOS) Brave browser for my website. Before it didn’t give any explanation but now it shows “Certificate is not trusted” message when I click on it. I read somewhere that Brave is dependent on Safari but Safari shows valid SSL/TLS lock icon. How does this happen? I assume that Brave has its own independent trusted root certificate store that’s being managed separately?

How can this issue be reproduced?
Visit my website from IOS mobile device.

Expected result:

Brave Version: Version 1.38 (22.5.13.17)

Mobile Device details iPhone 12 Pro

Additional Information:

What I see from Brave mobile.
image

What I see from every other browsers including Safari.
image

@kevinmnm

Your website has a prompt request to allow animations, that may be a cause of your issue.

@fanboynz will probably know more.

What I see, using Brave Browser iOS v1.38 (22.5.13.17):

PS. Thank you @michal for getting the padlock icon to a state of providing some info.

Hello @289wk,

That prompt is something that I made for people to not miss animations (in case some features are disabled on their OS level) I implemented in the website. That prompt has nothing to do with the SSL/TLS warning that I’m getting. Thank you for trying to resolve though!

1 Like

@kevinmnm

With an iPhone (iOS 14.8.1), I used an app called ‘TLS Inspector’ and entered: kevsong.com

The ‘TLS Inspector’ response: ‘Unable to inspect’

But, I also used Brave Browser iOS to visit:

https://www.sslshopper.com/ssl-checker.html#hostname=kevsong.com

where the response was good.

I just visited your website (https://kevsong.com), using both Brave Browser for Mac Desktop >

  • New Window
  • New Private Window

and both windows easily displayed your main web page.

But of course. Duh.

I couldn’t reproduce the animation error on my iphone 8. Though it could be related to fingerprinting?

@289wk
About the animation prompt message, you probably touched device settings. Refer HERE to see if it fixes.

I’m pretty sure my error is related to mobile Brave trust root store - either not having the cert in the list or not able to validate kind of issue. This is likely out of user’s scope to fix but for Brave technical team to update cert list. But thank you for trying various methods though I appreciate.

@fanboynz

This is likely a user specific condition where they try to make device faster by choosing “lower quality” setting. Refer to THIS page if you want to reproduce. But that prompt is something I personally made to let visitors know that they might not see animation I made for the website, so it’s irrelevant to the issue.

regarding the cert, https://www.ssllabs.com/ssltest/analyze.html?d=kevsong.com

If this is improved, it’ll be reflected in Brave and other browsers.

@kevinmnm

Using an iPhone 8 Plus, iOS 14.8.1, I went to the Settings > Accessibility > Motion and at first:

  • Disabled: Prefer Cross-Fade Transitions

and then tested access (via the iPhone) to your website; no change.

I returned to the Settings > Accessibility > Motion and:

  • Disabled: Reduce Motion

and then tested access (via the iPhone) to your website: et Voila! (no animation alert).

Webpage finally works on the iPhone, but little RED circle (instead of padlock) icon, remains.

I tested: Lowering site-specific Shields (Lion icon) panel settings in Brave Browser iOS, for:

  • Block Cross-Site Trackers
  • Block Phishing
  • Block Fingerprinting

. . . but none of the changes, individually nor in combinations, would cause the RED circle icon to change into a padlock icon.

Thank you for your patience and the adventure.

1 Like

@fanboynz

What does that mean? Do I need to change server config? If so, which directive should I modify and how? I’m currently using Apache with ProxyPass directive to internally proxy requests to NodeJS server. So is this error occurring due to server config? If so, why is Safari not giving same error if Brave is created on top of Safari? And why is it only happening in IOS mobile devices? And why does the error say Certificate is not trusted?


This is the stack I’m using for my website.

@289wk Thanks for trying out various methods in attempt to resolve this.

@kevinmnm

On the chance that you have been rummaging around thru your website settings . . . have you found a fix?

Those are just the server settings, the cert (SSL) settings are separate.

Visiting the IP directly will generate similar errors in Safari and Brave. https:// 5.183.11.210/ Unsure why the errors are different on the domain itself.

@fanboynz @289wk

No I was not able to resolve this issue.

I even tried applying redirect from IP 5.183.11.210 to DNS https://kevsong.com but this didn’t solve either as cert has to be checked prior to reaching the web server (I removed redirect directive after as it wasn’t the fix). I’m pretty sure this has something to do with Brave certificate trusted root store. Are you guys developers? Can you guys inquire about this to someone who has access to trusted root store?

@kevinmnm

Members of Brave Support, and what little that I know about them::

@fanboynz (AdBlock, Web Compatibility)
@michal (iOS)

Brave Browser for IOS is forked from Firefox iOS.

1 Like

So it’s a combination of two issues. The first is that the certificate’s chain can’t be parsed using: SecPolicyCreateBasicX509 (every other browser seems to not care [they ignore this policy and only use SecPolicyCreateSSL ]).The second is that it loads http:// content and not only https:// content.

2 Likes

@fanboynz

Thank you for inquiring on this. I enabled force redirect from the server side (it used to be done from the client side) to enforce HTTPS but I’m still seeing the red icon. Now we’re left with cert trusted store issue you’ve mentioned. So are we confirming that this is solely on Brave browser? Or is there anything I can do about this?

@kevinmnm

https://chromium.googlesource.com/chromiumos/docs/+/HEAD/ca_certs.md

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.