Brave-browser: Brave accepts TLS 1.0 and TLS 1.1 without any warning!

Created on 8 Jul 2020 · 9Comments · Source: brave/brave-browser

Test Plan

Specified here: https://github.com/brave/brave-core/pull/6574

Description

Brave shows that TLS 1.0/1.1 is secure. You have to click on the lock icon to get a warning. But the lock should indicate that BEFORE clicking on it

Steps to Reproduce

go to chair for E-Business of Univerity of Magdeburg or tls-v1-0.badssl.com 1 or tls-v1-1.badssl.com 2
the site is using TLS 1.0 or TLS 1.1 and the lock next to the address bar is closed
klick on the lock and then there will be a warning text

Actual result:

The lock symbol shows a secure connection

Expected result:

The lock symbol should show an "not secure connection"

Reproduces how often:

Every site that uses TLS 1.0 or TLS 1.1

Brave version (brave://version info)

1.10.97 Chromium: 83.0.4103.116 (Official Build) (64-bit)

Version/Channel Information:

Can you reproduce this issue with the current release?
- yes
Can you reproduce this issue with the beta channel?
- do not have the beta channel
Can you reproduce this issue with the dev channel?
- do not have the dev channel
Can you reproduce this issue with the nightly channel?
- do not have the nightly channel

Other Additional Information:

Does the issue resolve itself when disabling Brave Shields?
- no
Does the issue resolve itself when disabling Brave Rewards?
- no
Is the issue reproducible on the latest version of Chrome?
- no, chrome shows an "open lock" just like on an insecure http site

Miscellaneous Information:

OAndroid ODesktop QA Pass - Android ARM QA Pass - Android Tab QA Pass - Android x86 QA Pass-Linux QA Pass-Win64 QA Pass-macOS QTest-Plan-Specified QYes prioritP2 release-noteinclude sec-high security

Source

Cangarw

👍3

Most helpful comment

Mystery solved - that config is initialized after a component is registered and installed via component updater
https://source.chromium.org/chromium/chromium/src/+/master:chrome/browser/component_updater/tls_deprecation_config_component_installer.cc;l=68;drc=1b7d93032127153194b576235f5697eadd84554f

By default, we don't register / install this component

If I visit brave://components and click Check for update, it will download

After quitting/relaunching, it works as expected:

bsclifton on 2 Sep 2020

👍3

All 9 comments

cc: @fmarier when you get a moment can you take a look?

rebron on 31 Aug 2020

That's definitely a bug since this was deprecated a while back in Chromium. We should be seeing interstitials like in Chrome:
Screenshot from 2020-08-31 15-20-31

but for some reason that doesn't work in Brave, even with the following flags enabled:
Screenshot from 2020-08-31 15-18-29

I tested this in Nightly:

Brave | 1.15.20 Chromium: 85.0.4183.83 (Official Build) nightly (64-bit)
Revision | 94abc2237ae0c9a4cb5f035431c8adfb94324633-refs/branch-heads/4183@{#1658}
OS | Linux

fmarier on 1 Sep 2020

Digging in on this one...

problem 1: we aren't defaulting the above values (in screenshot) to true 🤔 We'll want to do that
problem 2: there's a config used when calling ShouldSuppressLegacyTLSWarning which is NOT initialized. This causes the check to fail and default to true:

See

https://source.chromium.org/chromium/chromium/src/+/master:services/network/ssl_config_service_mojo.cc;l=123-126;drc=4fdd27a642894a835da323789c52400c59e7b242
and
https://source.chromium.org/chromium/chromium/src/+/master:chrome/browser/ssl/tls_deprecation_config.cc;l=64-68;drc=c777e0413404f32399668eb671942409bb59091b

bsclifton on 2 Sep 2020

On Beta it doesn't even show the warning if you click on the icon. (It does for me on master)

diracdeltas on 2 Sep 2020

By default, we don't register / install this component

If I visit brave://components and click Check for update, it will download

After quitting/relaunching, it works as expected:

bsclifton on 2 Sep 2020

👍3

If we want this functionality, we should be able to:

Default the config values for features::kLegacyTLSEnforced and security_state::features::kLegacyTLSWarnings
Register this new component

bsclifton on 2 Sep 2020

we definitely want to show TLS 1.0/1.1 as insecure like chrome does

diracdeltas on 2 Sep 2020

👍1

Verification passed on

Brave | 1.14.81 Chromium: 85.0.4183.102 (Official Build) (64-bit)
-- | --
Revision | ffe848af6a5df4fa127e2929331116b7f9f1cb30-refs/branch-heads/4183@{#1770}
OS | Windows 10 OS Version 1903 (Build 18362.1016)

Verified the test plan from https://github.com/brave/brave-core/pull/6574
Reproduced the issue in 1.14.80
Upgraded profile from 1.14.80 to 1.14.81 and ensured that the warning message is displayed
Ensured that the warning message is displayed in a clean profile

Verification PASSED on macOS 10.15.6 x64 using the following build:

Brave | 1.14.81 Chromium: 85.0.4183.102 (Official Build) (64-bit)
-- | --
Revision | ffe848af6a5df4fa127e2929331116b7f9f1cb30-refs/branch-heads/4183@{#1770}
OS | macOS Version 10.15.6 (Build 19G73)

Reproduced the original issue using 1.13.86 CR: 85.0.4183.102 as per the following

Verified that the cases from https://github.com/brave/brave-core/pull/6574 & https://github.com/brave/brave-browser/issues/10607#issue-653145842 are working under 1.14.81 Chromium: 85.0.4183.102 as per the following:

Verification passed on

Brave | 1.14.81 Chromium: 85.0.4183.102 (Official Build) (64-bit)
-- | --
Revision | ffe848af6a5df4fa127e2929331116b7f9f1cb30-refs/branch-heads/4183@{#1770}
OS | Ubuntu 18.04 LTS