When navigating to a site with an expired SSL certificate, Brave Private sessions (and Chome and Edge) warn “Your connection is not private” and also offer a link titled "Proceed to ". This is expected and good behavior. Brave’s normal (non-private) sessions are the only ones that do not offer the “Proceed to” link. I am confident this is an oversight and needs to be reintroduced. Please note: works in Private mode; broke in normal mode.
All the URLs through which I encounter this problem are part of my company’s intranet. (IT understaffed; we are working on it.) I am confident you can find or create a server that will present the issue.
The issue presented on the Version 1.25.70 Chromium: 91.0.4472.77 (Official Build) (64-bit). Same results with shields up and down.
Thanks for the prompt response. From my initial report above:
All the URLs through which I encounter this problem are part of my company’s intranet. (IT understaffed; we are working on it.) I am confident you can find or create a server that will present the issue.
Whip up web server with an expired certificate. I think self-signed certificates also invoke the warning.
Things work as intended in Private windows like the one you posted. When you open that same URL in a non-private Windows, I would expect the “Proceed to” link at the bottom will be missing. I am near certain it is meant to be included in both kinds of Windows.
Also, thanks for the link to the github bug. It is a little hard to parse the thread–especially why it was closed. Even so, I appreciate the lead.
The culture and process of every OSS project is different. I am not familiar with the Brave or Chromium projects. Apologies if my next questions reflect that ignorance.
Isn’t Brave built downstream from the Chromium project’s source? If so, wouldn’t the Brave build be able to patch Chromium source before it is built? I get maintaining changes like that is a burden when they aren’t welcome upstream.
We can patch any features and fixes, but when it comes to default security action (like this) we trust Google chrome dev’s to make the correct call. If it’s a security issue, it should be fixed upstream in the Chromium source.
