NOT SECURE error for an https: site

I use ProtonMail as it’s supposed to be a secure and encrypted service. But its web site (https://mail.protonmail.com/inbox) shows a “Not Secure” symbol next to the URL, even though the web site uses an https: connection.

I’m using Brave version Version 1.10.97 Chromium: 83.0.4103.116 (Official Build) (64-bit) on OS X Catalina, version 10.15.5 (19F101)

Can you help me figure out why?

Thank you!

Just tested in our protonmail mail box, was secure here. Unless there is an extension or something inserting non https content, it should be secure.

Can you try in private mode (with no extensions enabled) and/or in a VPN session?

2 Likes

Hello!
Web compatibility are the best in this!

Aha! I ran it in a Tor window without extensions, and you were right that it worked securely just fine. So I repeated it in a normal Brave window, again without extensions, and it worked. So I added my extensions back in one at a time to see what might be causing the problem, and now that I have them all reset and running in my normal Brave window, it’s working fine! I don’t know why that would change anything, but it’s been running for an hour now without any errors.

If it recurs, I’ll be sure and let someone know.

Thanks for your help!

1 Like

Well, it’s recurring again, this time with all extensions disabled except 1Password, which I use quite a bit and would rather keep enabled. I’ve also tried it both with Brave shields UP and DOWN, with the same result. I’ve included a partial screen shot if that helps.

I’m not sure how to proceed.

Hey @MEHinCA

Can you screenshot the cert window? (here is mine from proton mail)

Via: Padlock in the address bar, Certificate.

Sure! How do I get to that window? I did a little searching but don’t find it.

Via: Padlock in the address bar (on the left), Certificate.

Is this the right one?

I think the one I sent is the right one, from the exclamation mark: Pasted-image-Wed Jul 01 2020 191427 GMT-0700 (Pacific Daylight Time).pngthat is where the padlock should be. Here it is again:

Interesting its showing is valid . Both screenshots seem identical. We do have 2 recent related https reports, which maybe related to this.


1 Like

Let me know if there is anything else I can provide or do.

1 Like

I see the same certificate as you when I go to https://protonmail.com/ so it must be something else.

Can you take a screenshot of the developer tool console? You can get there this way:

  1. Right-click on the page.
  2. Select “Inspect” to open the devtools side panel.
  3. Click on the “Console” tab of the developer tools.

This is what it looks like for me:

Sure. Here it is:

I wonder because protonmail is linking to non-https content. (from their source), is causing issues.

            <div class="col-lg-2 col-md-4 col-sm-4">
                <figure class="text-center">
                    <a href="http://blogs.wsj.com/digits/2014/08/14/is-encrypted-messaging-entering-the-mainstream/" target="_blank" rel="noreferrer noopener">
                        <img data-src="/images/logo-wall-street-journal.jpg" alt="Wall Street Journal Logo">
                    </a>
                </figure>
            </div>
            <div class="col-lg-2 col-md-4 col-sm-4">
                <figure class="text-center">
                    <a href="http://www.nytimes.com/2016/03/24/technology/personaltech/encryption-by-app-adds-security-to-smartphones.html" target="_blank" rel="noreferrer noopener">
                        <img data-src="/images/logo-new-york-times.jpg" alt="The Huffington Post Logo">
                    </a>
                </figure>
            </div>

Links to insecure pages don’t trigger the mixed content blocker, so while those are not ideal, they shouldn’t cause any issues.

1 Like

Thanks. That’s a lot of output (9 errors and 149 warnings). Can you make sure that all of these are related to ProtonMail by using the clear button before reloading https://protonmail.com:
Screenshot from 2020-07-02 18-37-21

Also, you can filter out the “Verbose” level of messages and only leave warnings and errors:
Screenshot from 2020-07-02 18-36-29

I did that, and when I reloaded the page, it said secure until I opened another message, which then generated these messages (which look suspicious related to HTTPS):

I see, that’s definitely mixed content warnings there. I assume you’re looking at your own ProtonMail account and that you have some emails open?

Basically what’s happening is that some emails have come in with inline images that point to insecure HTTP servers. ProtonMail is not rewriting the image URLs and so it’s instructing your browser to fetch the original insecure images directly and triggering the “Not secure” warning in Brave. Some other email providers will instead rewrite the image URLs and proxy them securely for you in order to eliminate these HTTP requests.

You can also see the same issue on the following test page which includes an insecure HTTP image on an HTTPS page: https://mixed.badssl.com/

All of this to say that it is normal, but unfortunately appears to be a problem on the ProtonMail side (lack of proxying/upgrading of HTTP images). If you did want to get rid of the warning, without changing the underlying issue, you could set the following flag to “Disabled”: brave://flags/#passive-mixed-content-warning

1 Like

Thank you for figuring that out and letting me know. I’ll mention it to ProtonMail, but won’t worry about it otherwise.

Thanks again.

1 Like