Wrong SSL status on pages that don't resolve/open

Ggp · Nov 29, 2021

Visit a link that doesn't work. For example, https://local.teams.office.com/sourcemaps/hashed-assets/midgard-bootstrapper-b1a409e3a3b9c992.js.map
Note that an HTTPS padlock icon appears on the URL bar. This site doesn't exist, and local.teams.office.com resolves to 0.0.0.0. Clearly there's no connection being opened to the server, but Orion is showing an HTTPS status (in screenshot below, a certificate from archive.org!)

Miko · Dec 4, 2021

This one is very odd and very case-specific.

Steps to reproduce:
I use Lavarel Valet for local development https://laravel.com/docs/8.x/valet
Laravel Valet configures your Mac to always run Nginx in the background when your machine starts. Then, using DnsMasq, Valet proxies all requests on the *.test domain to point to sites installed on your local machine.

Valet can also secure local *test domain using a self-signed certificate.

When Valet is running in the background, Orion will randomly and often stop loading pages with the message "This connection is not private" clicking on the view certificate will show the " Laravel Valet CA Self Signed CN".

Turning off Valet fixed the issue immediately, and Orion will work again as expected.

Expected behaviour:
Lavarel Valet should not interfere with Orion

Orion and macOS:
Orion: Version 0.99.108.1-beta (WebKit 613.1.10)
MacOS: 12.0.1 (21A559)
HW: MBP M1 Max

Image/Video:

Vlad · Dec 4, 2021

Miko Can you reproduce the same problem in Safari?

Miko · Dec 4, 2021

Vlad only with Orion, no issue with Safari. Let me know if you want a screen recording or if you need anything else. Cheers

Ggp · Dec 4, 2021

@Vlad I think this could perhaps be linked to a similar/same root cause as https://orionfeedback.org/d/424-wrong-ssl-status-on-pages-that-dont-resolveopen, or the other SSL issue I reported to you directly a little while back, which meant the wrong site's SSL certificate was being shown in the SSL detail view?

Miko · Dec 5, 2021

I'm getting the exact same issue visiting my local pi.hole

Savjee · Sep 7, 2022

Steps to reproduce:

Go to a website that only support HTTP
- For instance: http://httpforever.com
Click on the lock icon in the address bar
The popup window will show a valid SSL certificate for *.gstatic.com

Funnily enough, the certificate is not always the same. If I go to my local Home Assistant instance, it shows a certificate from *.googlevideo.com. Again, the website is served over HTTP, so it can't have a SSL certificate.

Expected behavior:

The popup window should not appear, as the website is not using HTTPS

Orion, OS version; hardware type:

Orion Version 0.99.119-beta (WebKit 615.1.1)
HW: MacBook Pro (macOS Monterey 12.5.1 build 21G83)

Image/Video:

Ggp · Sep 10, 2022

I've flagged this as a potential duplicate of https://orionfeedback.org/d/424-wrong-ssl-status-on-pages-that-dont-resolveopen as I believe it is the same underlying cause.

Akira · Sep 13, 2022

Miko
Hi, is it still reproducible on the latest build?
If so, could you post the minimum repro steps with Valet?