Revoked certificates failure

bug

#1

Brave fails https://revoked.grc.com/, a site setup by Steve Gibson (security guru) to test if a browser accepts a revoked certificate. Many browsers fail this test including Brave. Firefox handles it properly.

As a new member to this community, I don’t seem to have any rights to create a tag such as ‘security’ (assuming that is appropriate in this forum’s context).

Cheers


#2

Hi @bbos

Thanks for reporting, and welcome to the Brave Community. :slight_smile:

  • Can you let me know if you observed on mobile or desktop?

  • When I attempt to reproduce with HTTPSeverywhere enabled, I receive the certificate failure.

  • I forced the browser to accept the invalid certificate, and saw the page load in Brave w/o the revocation error.

-I noticed this on the page that loaded:

The SSL/TLS security certificate for this special website has been deliberately revoked. Since you are seeing this page, we know that this web browser is allowing a site with a known invalid certificate to display its pages. This is likely not the behavior you would choose.

When I was in Brave, I was receiving the revocation error display, instead of the landing page. Based on what I’m reading above from the test, it appears that by showing the revocation error shows that Brave is passing the test.

Can you let me know if you’re seeing the error, or if you’re seeing the page download in Brave? Thanks!


#3

Hi Luke,

Yes, my first post here!

Sorry to miss some details:

  • MacOSX 10.12.5 (desktop)
  • Brave: 0.15.310
    ** rev: 6b5e4e2d300959848e0e848817aa40385447f2eb
    ** Muon: 3.0.201
    ** libchromiumcontent: 58.0.3029.110
    ** V8: 5.8.283.38
    ** Node.js: 7.9.0
    ** Update Channel: dev
    ** os.platform: darwin
    ** os.release: 16.6.0
    ** os.arch: x64

Visiting https://revoked.grc.com/ I see:

Security Certificate
Revocation Awareness Test
If you can see this (and apparently you can), you
are using a revocation UNaware web browser!
The SSL/TLS security certificate for this special website has been deliberately revoked. Since you are seeing this page, we know that this web browser is allowing a site with a known invalid certificate to display its pages. This is likely not the behavior you would choose.

Along with further details about the problem.

On Firefox I get:

Secure Connection Failed

An error occurred during a connection to revoked.grc.com. Peer’s Certificate has been revoked. Error code: SEC_ERROR_REVOKED_CERTIFICATE


#4

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.