0

Summary We are running a web site (https only) and have a single bug report from a user that says the site gets warned as "Not secure". The user gets this warning only when accessing it from the Safari browser on an iPhone (iOS 14.6). Other users - also on iPhone/Safari - does not see the same message (just the padlock which indicates it's secure). What may cause this warning to be shown on Safari iOS even with https using valid certificate?

Details We have together with the user tried to pinpoint the problem, with little success. We have tested the following:

  • Connect through different Wi-Fi connections or via mobile data. This does not matter, the warning is always there

  • Connect to other HTTPS sites - this works fine, no warnings shown

  • Connect to a sister site on another subdomain (using the same wild-card SSL certificate) - also works fine without a warning. The two sites use the exact same certificate, e.g. a.domain.com and b.domain.com, but only one of them triggers the "Not secure" warning.

  • We downloaded the Chrome browser to this iPhone, and Chrome does not show a warning (the padlock indicating https is shown)

  • We tried a Mac laptop on the same Wi-Fi network, and the Safari web browser on the laptop does not show the "Not secure" warning.

  • We have verified that the server never serves anything over HTTP - everything on port 80 gets permanently redirected to https on port 443

  • We verified that the login page does not have content or links served on other servers or through http.

  • We have only, so far, heard of only one iOS device with this problem. Other iPhones running the same software version does not report the "Not secure" warning.

  • We have downloaded the TLS inspector iOS app to the device and checked the certificate in use for the site. It's flagged as "Trusted" with the correct fingerprint, dates etc.

  • We have verified that the certificate (DigiCert) should be considered valid - although it's a 2-year wild card certificate it's from June 2020 which is before September 1st 2020 when Apple determined not to accept 2-years certs anymore.

  • We have verified that there are no 3rd party trusted certificates installed on the iPhone

  • We have executed a SSL-Labs test for the site, with no serious errors or warnings (Ranked as B)

Questions

  • What are we missing here - could it be a certificate/server issue or should we focus on that particular iPhone?

  • What exactly may trigger Safari's "Not Secure" warning? We know the connection is HTTPS and the same certificate is OK when accessed via another subdomain. What else may cause the warning to be shown?

  • Could this be a man-in-the -middle attack in progress?

Stan Portland
  • 1
  • You need more information about the error. Most sane browsers will say exactly what they didn't like about a certificate. – multithr3at3d Jul 01 '21 at 00:44
  • Check the site with [SSLLabs](https://www.ssllabs.com/ssltest/). Thinks like "chain issues" (missing intermediate certificates) might cause the behavior you describe, since browsers more or less successful work around such broken setups and how they work around might also depend on what sites they visited before. Also make sure that you are really accessing the right side as the final destination. There might be a cached 301 permanent redirect from previous experiments so that this specific browser instance goes somewhere else than the other browsers when entering the URL. – Steffen Ullrich Jul 01 '21 at 04:29
  • Update: Thanks both for your suggestions. We created a new subdomain today, pointing to the same server/IP-address and the user did NOT see the "Not secure" message when opening the the system via that URL. Now it's flagged as safe, while the old URL is still classed as "Not secure". This means it's either the domain name itself that triggers Safari to say it's not secure for some reason, or that the iPhone is really being redirected to some other site/system that tunnels/intercepts the data (which would be a disaster of course). Any ideas of how to rule that out would be appreciated. – Stan Portland Jul 01 '21 at 16:36

0 Answers0