Brave accepts TLS 1.0 and TLS 1.1 without any warning!

[Cangarw]

Test Plan

Specified here: brave/brave-core#6574

Description

Brave shows that TLS 1.0/1.1 is secure. You have to click on the lock icon to get a warning. But the lock should indicate that BEFORE clicking on it

Steps to Reproduce

1. go to chair for E-Business of Univerity of Magdeburg or tls-v1-0.badssl.com 1 or tls-v1-1.badssl.com 2
2. the site is using TLS 1.0 or TLS 1.1 and the lock next to the address bar is closed
3. klick on the lock and then there will be a warning text

Actual result:

The lock symbol shows a secure connection

Expected result:

The lock symbol should show an "not secure connection"

Reproduces how often:

Every site that uses TLS 1.0 or TLS 1.1

Brave version (brave://version info)

1.10.97 Chromium: 83.0.4103.116 (Official Build) (64-bit)

Version/Channel Information:

• Can you reproduce this issue with the current release?
  • yes
• Can you reproduce this issue with the beta channel?
  • do not have the beta channel
• Can you reproduce this issue with the dev channel?
  • do not have the dev channel
• Can you reproduce this issue with the nightly channel?
  • do not have the nightly channel

Other Additional Information:

• Does the issue resolve itself when disabling Brave Shields?
  • no
• Does the issue resolve itself when disabling Brave Rewards?
  • no
• Is the issue reproducible on the latest version of Chrome?
  • no, chrome shows an "open lock" just like on an insecure http site

Miscellaneous Information:

[rebron]

cc: @fmarier when you get a moment can you take a look?

[fmarier]

That's definitely a bug since this was deprecated a while back in Chromium. We should be seeing interstitials like in Chrome:

but for some reason that doesn't work in Brave, even with the following flags enabled:

I tested this in Nightly:

Brave | 1.15.20 Chromium: 85.0.4183.83 (Official Build) nightly (64-bit)
Revision | 94abc2237ae0c9a4cb5f035431c8adfb94324633-refs/branch-heads/4183@{#1658}
OS | Linux

[bsclifton]

Digging in on this one...

• problem 1: we aren't defaulting the above values (in screenshot) to true 🤔 We'll want to do that
• problem 2: there's a config used when calling ShouldSuppressLegacyTLSWarning which is NOT initialized. This causes the check to fail and default to true:

See

• https://source.chromium.org/chromium/chromium/src/+/master:services/network/ssl_config_service_mojo.cc;l=123-126;drc=4fdd27a642894a835da323789c52400c59e7b242
  and
• https://source.chromium.org/chromium/chromium/src/+/master:chrome/browser/ssl/tls_deprecation_config.cc;l=64-68;drc=c777e0413404f32399668eb671942409bb59091b

[diracdeltas]

On Beta it doesn't even show the warning if you click on the icon. (It does for me on master)

[bsclifton]

Mystery solved - that config is initialized after a component is registered and installed via component updater
https://source.chromium.org/chromium/chromium/src/+/master:chrome/browser/component_updater/tls_deprecation_config_component_installer.cc;l=68;drc=1b7d93032127153194b576235f5697eadd84554f

By default, we don't register / install this component

If I visit brave://components and click Check for update, it will download

After quitting/relaunching, it works as expected:

[bsclifton]

If we want this functionality, we should be able to:

1. Default the config values for features::kLegacyTLSEnforced and security_state::features::kLegacyTLSWarnings
2. Register this new component

[diracdeltas]

we definitely want to show TLS 1.0/1.1 as insecure like chrome does

[GeetaSarvadnya]

Verification passed on

Brave | 1.14.81 Chromium: 85.0.4183.102 (Official Build) (64-bit)
-- | --
Revision | ffe848af6a5df4fa127e2929331116b7f9f1cb30-refs/branch-heads/4183@{#1770}
OS | Windows 10 OS Version 1903 (Build 18362.1016)

• Verified the test plan from Fix #10607: Show warnings for TLS 1.0 and TLS 1.1 brave-core#6574
• Reproduced the issue in 1.14.80
  
• Upgraded profile from 1.14.80 to 1.14.81 and ensured that the warning message is displayed
  
• Ensured that the warning message is displayed in a clean profile

Verification PASSED on macOS 10.15.6 x64 using the following build:

Brave | 1.14.81 Chromium: 85.0.4183.102 (Official Build) (64-bit)
-- | --
Revision | ffe848af6a5df4fa127e2929331116b7f9f1cb30-refs/branch-heads/4183@{#1770}
OS | macOS Version 10.15.6 (Build 19G73)

Reproduced the original issue using 1.13.86 CR: 85.0.4183.102 as per the following

Original Issue

Verified that the cases from brave/brave-core#6574 & #10607 (comment) are working under 1.14.81 Chromium: 85.0.4183.102 as per the following:

Error Message	Allowed Error

Verification passed on

Brave	1.14.81 Chromium: 85.0.4183.102 (Official Build) (64-bit)
Revision	ffe848af6a5df4fa127e2929331116b7f9f1cb30-refs/branch-heads/4183@{#1770}
OS	Ubuntu 18.04 LTS

• Verified the test plan from Fix #10607: Show warnings for TLS 1.0 and TLS 1.1 brave-core#6574

Also tested after upgrade from 1.13.x

[srirambv]

Verification passed on OnePlus 6T with Android 10 running 1.14.82 x64 RC build

• Verified test plan from Fix #10607: Show warnings for TLS 1.0 and TLS 1.1 brave-core#6574

Error Page	Error page Advanced	Site info showing error

---

Verification passed on Samsung Tab A with Android 10 running 1.14.82 x64 RC build

• Verified test plan from Fix #10607: Show warnings for TLS 1.0 and TLS 1.1 brave-core#6574

Error Page	Error page Advanced	Site info showing error

---

Verification passed on Nexus 6P Emulator with Android 7 running 1.14.82 x86 RC build

• Verified test plan from Fix #10607: Show warnings for TLS 1.0 and TLS 1.1 brave-core#6574

Error Page	Error page Advanced	Site info showing error