brave / brave-browser

Brave browser for Android, iOS, Linux, macOS, Windows.
https://brave.com
Mozilla Public License 2.0
18k stars 2.36k forks source link

"Your connection is not private" should allow a workaround #14216

Closed 097115 closed 3 years ago

097115 commented 3 years ago

Description

When encountering a privacy error, a user should be allowed to proceed anyway. May be this option to allow proceeding should be first enabled in settings or flags but it still must exist.

Brave: https://i.imgur.com/pdYLL8x.png

Firefox: https://i.imgur.com/GFYbrmg.png

Version info:

Brave | 1.20.103 Chromium: 88.0.4324.152 (Official Build) (x86_64) Revision | 6579930fc53b4dc589c042bec9d0a3778326974d-refs/branch-heads/4324@{#2106} OS | OS X Version 10.11.6 (Build 15G22010)

ryanbr commented 3 years ago

The warning in Brave is the same warning message is in Chrome. Not sure if we need to change it. (Testing the example https://flibusta.is/)

@097115

097115 commented 3 years ago

@ryanbr Thanks for your reply!

Unfortunately, don't have Chrome installed. But are you telling that with Chrome you really can't proceed to such sites, too? I mean, it's sort of embarrassing for a user being unable to make their educated choice.

ryanbr commented 3 years ago

How could the error message be improved, maybe a sample screenshot?

097115 commented 3 years ago

@ryanbr Didn't I provide one? :)

On the Firefox pic you can notice that despite having an error, you can still proceed to the website. Yes, there will be possible risks but they are on you and you are taking your educated decision.

Until recently, Brave (and Chrome) had the same opportunity. Now, Brave just informs the user about the error, and there's nothing one can do, users simply are forced to obey.

ryanbr commented 3 years ago

When encountering a privacy error, a user should be allowed to proceed anyway. May be this option to allow proceeding should be first enabled in settings or flags but it still must exist.

You can proceed, there is a link provided. Clicking on Advanced button then clicking on Proceed to....(url) The only real difference between Brave and Firefox here, is Firefox will use a button and we use a text link.

brave-htps-process

097115 commented 3 years ago

@ryanbr

But I don't have this Proceed to flibusta.is (unsafe) link! I swear :) (And yes, it's exactly what I'm looking for.)

Here's another pic, and note that the scrollbar is at the very bottom, there's nothing more there:

Version 1.20.103 Chromium: 88.0.4324.152 (Official Build) (x86_64) (and it says it's up to date).

097115 commented 3 years ago

@ryanbr

As of version 1.20.108 Chromium: 88.0.4324.182 (Official Build) (x86_64), it's still has no Proceed to....(url) link.

@rebron

No, it doesn't repros for me on Chrome, since Chrome seems to have this link:

So, it would be great if you guys indeed could update/check your Brave, and confirm this issue.

alinposho commented 3 years ago

+1 to getting this fixed: I too do not have the option to Proceed to ... (unsafe) link in the Advanced section.

Version Info


Brave Version 1.20.108 Chromium: 88.0.4324.182 (Official Build) (64-bit) OS: Linux Mint 20 Cinnamon 4.6.7, Linux Kernel: 5.4.0-66-generic

097115 commented 3 years ago

@ryanbr

I've just noticed that the same URL (same search request) returns different errors in Normal and Private (without Tor) windows. And Private indeed has the proceed to link, while Normal still doesn't (Version 1.20.110 Chromium: 88.0.4324.192 (Official Build) (x86_64))

Normal: Private:

So, may be that's the culprit then?

rebron commented 3 years ago

https://flibusta.is/ Seems to have their cert error resolved.

Need to verify if this is still an issue with this error interstitial with another example.

rebron commented 3 years ago

Closing. Please re-open if still not seeing the links to proceed.

Links do appear in Normal window. Tested on latest release channel.

Brave 1.24.85 Chromium: 90.0.4430.212 (Official Build) (arm64)
Revision e3cd97fc771b893b7fd1879196d1215b622c2bed-refs/branch-heads/4430@{#1429}
OS macOS Version 11.3 (Build 20E232)
screen_shot_2021-05-07_at_4 07 07_pm
knightian commented 3 years ago

Please reopen,

When we access something hosting with self signed certificates, so for example an OpenWRT router or any consumer modem/routers web GUI accessed over HTTPS, Brave does not allow for me to proceed past the warning.

I have to switch to use literally any other browser except Brave to login and configure settings on the router etc.

It would appear that ERR_CERT_INVALID error is trying to be overly zealous about not letting the user continue on to an "unsafe" site. For public IP or FQDN this would make sense, but I think you should have a sanity check for private IPs and allow such proceeding on a private IP range. What happens currently is really stupid because it locks anyone out from trying to configure their modem or any such thing as that. DUMB!

Screenshot attached:

image

Here you can see it working fine in Firefox:

image

And here is the certificate for your reference:

Subject: OpenWrt

Issuer: OpenWrt

Expires on: 22 May 2023

Current date: 22 May 2021

PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIIDjTCCAnWgAwIBAgIIDqeh7VNb5LgwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE
BhMCWloxEjAQBgNVBAgMCVNvbWV3aGVyZTEQMA4GA1UEBwwHVW5rbm93bjEYMBYG
A1UECgwPT3BlbldydDg0ZDcyZTYwMRAwDgYDVQQDDAdPcGVuV3J0MB4XDTIxMDUy
MjAyNTUwOFoXDTIzMDUyMjAyNTUwOFowXzELMAkGA1UEBhMCWloxEjAQBgNVBAgM
CVNvbWV3aGVyZTEQMA4GA1UEBwwHVW5rbm93bjEYMBYGA1UECgwPT3BlbldydDg0
ZDcyZTYwMRAwDgYDVQQDDAdPcGVuV3J0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAiR05sIXPkZnQD4Uozgj3+GsU2Ljs+MKqSmdkLOPts5PZeHMJ/3+i
kOTyf4AkGRv7cKIGwCuBMAF2dFK2HR+evQlwRYv09lImeSTKQvo2MfUAvXZw6t2P
gpLrqsFICNLFTXKCnJdIaEbXfciL2N3wsp0cEuXRP+3UK0lALatyj4mgW+tdkkZr
NRcj9aE4OLEsW08uh6LJZjI4jp5crNFqwJq/EFjn0u8f4XsuQ7FRnLNMB4zA1GU2
hsj8l0wTjTsiFdL0eQC3d0QC2SAyxFeFjoM+o5vtlT+5mRVxGY8dRnQh06gE/vMd
eDg08+WyGJPOkjemkBCDqPADLVwcyjhMpwIDAQABo00wSzAJBgNVHRMEAjAAMB0G
A1UdDgQWBBRWn0IXAbVOf87Z9NDaTZVBGqseZTAfBgNVHSMEGDAWgBRWn0IXAbVO
f87Z9NDaTZVBGqseZTANBgkqhkiG9w0BAQsFAAOCAQEAgqSufbKDMY2bHH++DjFw
nbdQmgencXaBnZFe64/o7uFn8N8UQPh0BZezjTeMLKEoWavxk6aGt2lyMJzsRZ+M
mYyq01qhMIlIifbwWQlcIo/ObxAkL0seQiyDTMlW70oFHAc2POUEuHONo3kxSDzr
IVPfXAlcPai71mKg/Cg6db8wWT0zPq7p9xu8UdfAd3xuBt120trv5MBHw9Ekd2La
uWUKkxHYehKttyi2RG8D32LZ1oIWiUiiWrlMEcvjgsLTu6JNjvgfIJOUpyDltz7J
hYcN0FRmC8JneEqmXwnpoiKW57PPWINkpOZBKfnkpDJDN/VvKVwIxzAuzLDZdidU
rQ==
-----END CERTIFICATE-----
ryanbr commented 3 years ago

Does it occur in Chrome also?

knightian commented 3 years ago

Does it occur in Chrome also?

Don't use chrome, won't use chrome.

It occurs in Brave, and needs to be fixed in Brave.

ryanbr commented 3 years ago

If its a Chrome issue, it should be reported there also. Not saying you permanently need to use Chrome, gives us guidance on how to resolve this.

Probably related: https://bugs.chromium.org/p/chromium/issues/detail?id=1095820

ashtonian commented 3 years ago

Please reopen - this happens with self signed certificates. This is crucial for technical workflows, for example I cannot setup my newly installed esxi server through brave.

The error message should also be clearer - in the case of self signed certificates, the connection is indeed encrypted aka private - but it cannot be validated or trusted.

Additionally, site settings -> "display insecure content" has no impact.

image

ashtonian commented 3 years ago

clicking in the window and typing thisisunsafe should work, it adds the site to the exception list

knightian commented 3 years ago

clicking in the window and typing thisisunsafe should work adds the site to the exception list

And indeed it does. Thanks!

Pablo-Camara commented 3 years ago

The above key worked, but I had no knowledge of it until after I found the solution myself ( I had inspected the page and searched for "ignore" and then on the second occurrence I saw a relevant script there, I copied what was inside the if

  sendCommand(SecurityInterstitialCommandId.CMD_PROCEED);

pasted into the console and it allowed my local website!

But then I came across this last comments ( thank you very much ) and that also works.

HyperCrowd commented 3 years ago

clicking in the window and typing thisisunsafe should work, it adds the site to the exception list

Is there any way to make this ridiculously arcane and otherwise impossible-to-discover feature more readily available for web developers somehow?

DeserranoJorden commented 2 years ago

This still does not have a workaround....

vvzvlad commented 2 years ago

I maintain. I run a lot of docker applications on my server and some of them run on https internally without a domain. It can't get a signed certificate and doesn't need to. But because of the brave browser, I just can't accept that security is now my concern and just work like I can do in chrome, safari and so on. Terrible!!! Fix this!

Nascentes commented 2 years ago

Latest release and this is STILL present. I've never seen a "Proceed..." link in the past 3 years of using Brave on my Mac.

Also someone above mentioned that "thisisunsafe" adds a site to a whitelist. That's not accurate. There are 6 or 7 sites I access on a daily basis for work that are "insecure" on the company intranet and every single day for every single one, I am typing "thisisunsafe" to actually get into the site.

How this has been here for at least 3 years is beyond me. Such a QOL fail. Can this be looked at again, please?

https://i.imgur.com/TskNzrP.png (this site I access multiple times a day, every day. All from a normal window. Or from incognito. Shouldn't matter though.)

NiclasPe commented 2 years ago

I feel the pain. Im a System-Administrator and want to use my new MacBook Pro with Brave, because its my preferred Browser. But with this Bug, it is not really usable for that.

Im looking forward to hear from the Brave Team to fix it.

ryanbr commented 2 years ago

A "fix" like this isn't a Brave issue, should be addressed in chromium. For security we wouldn't override this.

ref: https://bugs.chromium.org/p/chromium/issues/detail?id=1095820

NiclasPe commented 2 years ago

A "fix" like this isn't a Brave issue, should be addressed in chromium. For security we wouldn't override this.

ref: https://bugs.chromium.org/p/chromium/issues/detail?id=1095820

OK, thanks for the quick Answer. I will report it there to.

knightian commented 2 years ago

I feel the pain. Im a System-Administrator and want to use my new MacBook Pro with Brave, because its my preferred Browser. But with this Bug, it is not really usable for that.

Im looking forward to hear from the Brave Team to fix it.

The “thisisunsafe” command allows us to override and is an acceptable workaround in my opinion. I think that the “thisisunsafe” command does need to be made known to the user better then it is today however.

NiclasPe commented 2 years ago

I feel the pain. Im a System-Administrator and want to use my new MacBook Pro with Brave, because its my preferred Browser. But with this Bug, it is not really usable for that. Im looking forward to hear from the Brave Team to fix it.

The “thisisunsafe” command allows us to override and is an acceptable workaround in my opinion. I think that the “thisisunsafe” command does need to be made known to the user better then it is today however.

Did I have to write this on my keyboard or in the browser console?

knightian commented 2 years ago

I feel the pain. Im a System-Administrator and want to use my new MacBook Pro with Brave, because its my preferred Browser. But with this Bug, it is not really usable for that. Im looking forward to hear from the Brave Team to fix it.

The “thisisunsafe” command allows us to override and is an acceptable workaround in my opinion. I think that the “thisisunsafe” command does need to be made known to the user better then it is today however.

Did I have to write this on my keyboard or in the browser console?

Click the page and just type "thisisunsafe" you won't see it typing the characters anywhere but it auto detects it and proceeds to the site.

I'm also on a mac, this command is a saviour ;)

vvzvlad commented 2 years ago

For security we wouldn't override this.

Adding a "go anyway" button, as it was in the original version before the chromium team fixed it, does not affect security in any way: the user is still shown a message about an invalid certificate, they just stop being forced to write weird spells in the browser console. All you need to do is add a "go anyway, I understand the risks" button

NiclasPe commented 2 years ago

Since i try this Tipp, the button appears on my Mac. Thanks for help!

The above key worked, but I had no knowledge of it until after I found the solution myself ( I had inspected the page and searched for "ignore" and then on the second occurrence I saw a relevant script there, I copied what was inside the if

  sendCommand(SecurityInterstitialCommandId.CMD_PROCEED);

pasted into the console and it allowed my local website!

But then I came across this last comments ( thank you very much ) and that also works.

Dedger commented 1 year ago

Hello, I have found an alternative approach to downloading the file Actualy, I just copy the download link and send it to my telegram "Saved massage". After this action, I see the following situation: image