No HTTPS upgrade on insecure sight(s), how come?


#1

I’ve been using brave on Android a long time, trying it out on PC.

Noticed sometimes there is an “unlocked” icon next to URL even though I have https everywhere turned on.

So, I went to my local chinese restaurant website, and it shows a red unlocked icon, yet my shields say “zero upgrades”

Maybe I don’t understand what https everywhere means? Is Brave giving me a secure connection even though it says “no https upgrades”?

Thanks in advance!

Brave: 0.18.36
rev: 7ab85e97318fef041433b0c3d73b457205fae805
Muon: 4.3.22
libchromiumcontent: 61.0.3163.79
V8: 6.1.534.32
Node.js: 7.9.0
Update Channel: dev
OS Platform: Microsoft Windows
OS Release: 10.0.15063
OS Architecture: x64


#2

The thing is that some sites do not work with https sadly, it has to do with their certificate for the website :sweat_smile:
There is nothing Brave can do because the site is set with a http only certificate and there is a good way to test this:
If you go to the adress bar and type https://chinagardenhamden.com/ with https instead of http in the beginning you will see a certificate error :expressionless:

I guess that you would need to ask them to upgrade their website to a certificate that support https :wink:


#3

That is very helpful. I guess I didn’t know what https upgrades were/are.

I guess I was thinking of “HTTPS everywhere”, where – if I understand correctly – it creates an encrypted channel for all data.

Whereas Brave does this (via GitHub):

To the best of my knowledge: https upgrades means, sites and hyperlinks, that are linked to http:// and if a equivalent https:// site is available… brave browser, automatically changes those links to https:// equivalents, to prevent tracking etc.,


#4

Well, now I’m not even sure if that’s an accurate description of the HTTPS Everywhere extension. Same as what Brave does?

Thanks for your time!


#5

Hi @jlm1,

HTTPS upgrade mean: It’s redirect HTTP traffic to HTTPS if it possible.

I’m not sure where you find the info in GH. I forgot about it. But I think that is clear for the information. And that’s what HTTPSe do.

From HTTPSe description:
Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site.

The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS

Hope that can answer your question.
:slight_smile:


#6

When I enter my own site’s name without using http or https Brave selects http for it even though I do have an SSL cert. When I explicitly use https it works. So, with HTTPS Everywhere turned on, I’m not getting the automatic https setting from it.

As a test, I tried using imdb.com, which delivers http. When I tried forcing it to https, it turned back to http, so I assume they have no cert. When I do the same test with amazon.com, Brave momentarily puts the http in, then nearly immediately replaces it with https.

It was my understanding that if the cert is present, HTTPS Everywhere would change any reference to http into https – as it did for Amazon. It did not do so for my site, although I can expressly use https and get it. Does this mean something is wrong with my cert, with my site, or with Brave’s handling of the transition?


#7

Hi Larry,

If you could please share the domain in question, that would be helpful for us to provide some additional feedback.

The behavior you described for IMDB and Amazon is what you’d expect with the secure connection upgrades, but it’s difficult for us to determine for your specific domain if we don’t have the address to check from our end.

Luke


#8

Use larryreznick.com


#9

Thanks Larry!

Will investigate and follow up. -Luke


#10

Hi Larry,

I’ve opened the following issue in Github to investigate/determine root cause. You can track progress here: https://github.com/brave/browser-laptop/issues/11022

Since we have this in the Github queue, I’m going to close the issue here, but feel free to comment here or on the github issue if you have any additional feedback or questions.

Thanks for reporting!


#11