Description of the issue: Connection not secure split second before directing to secure connection. (see exclamation point on url bar in browser)
Steps to Reproduce (add as many as necessary): 1. Enter any url after opening up brave
Actual Result (gifs and screenshots are welcome!): Pops up too fast to show, don’t have gif screen recording software, but the area of interest is this after
Expected result: No warning exclamation point (but idk if this is expected)
Additional Information: Is it possible that there is malware that misdirects https requests to some logging software that causes it to make that split second warning symbol on url bar or is it normal operation for not establishing ssl connection at that very moment? idk how it works or if it is normal behavior, the warning symbol pops up for a tenth of a second. I had a problem with connecting securely to https://ec.crypton.co.jp/ (rebooting fixed that issue) before I started to notice this behavior. Might be my paranoia acting up and I’m starting to notice more things that was always there.
@gentoo Brave upgrades HTTP to HTTPS by default. So you may be seeing where a particular website is HTTP but then Brave is upgrading to secure connection.
But really not sure what it is you’re seeing for sure. It might be helpful to see picture or recording of it happening to better understand what’s going on and to answer your question.
Okay, well here’s the unlisted video. don’t know how to make it into gif or any anonymous video hosting websites to link. I cut out the end because any more and it would show personally identifiable information, but you can see the last few frames it has established a secure connection.
@gentoo thanks for sharing. Tbh, I never noticed. But it does this regardless of which website you go to. I also tested on Chrome and it seems to hold the same. I’m guessing it’s just that “in-between” area where it’s checking the certificate for the site to know if it’s secure.
It doesn’t have to do with https upgrades, and it is a normal behavior.
This makes sense because the browser doesn’t know if a site is secured or not until it reads the ‘document’ and then checks the certificate to see if it is valid or not, it has to do it on every request, including if you open the site on a different tab, even if you just opened 5 seconds ago in another tab.
You can type any website, valid or invalid, http or https, it will act the same way.
For example, block the document with the adblocker (or uBlock in other browsers), blocking the document will block the site before it does a DNS request, so you still haven’t even connected to the domain to know if it is a valid URL or not, or if it is secured or not or has a valid certificate or anything.
Add any website like ||example.com^$document and you will see if you visit that website, how it displays the ! icon, then once you proceed, it will display the normal icon, then, click on any expired or wrong certificate or whatever that will case the not secured in the omnibox, well, you will see the same thing first ! and then Not Secured once it checks the information.
If you go back, you can see how it will not recheck if a certificate is valid or not since it already did it in that tab.
the ! icon is just a tiny warning to the connection is not secured, but because it hasn’t checked if it is secured or not. If you go to an unexciting URL like https://letstalkaboutbraveicon.com/, since it is not valid or has a certificate to make it valid, it will display the icon, because it can’t say it is not secured or secured since it hasn’t checked anything to prove either way.
So the change of icon makes sense since the browser will never know if the site has or not a valid certificate or not, until it loads the site and checks it and makes sure everything is okay.
