net::ERR_INSECURE_RESPONSE in Chrome

Question

I am getting an error net::ERR_INSECURE_RESPONSE in the Chrome console when fetching some data from my API

This error usually occurs as a result of an unsigned certificate; however, it is not an issue with this because I have a valid and signed certificate.

The error doesn't happen often at all and it goes away if I restart my Chrome browser. It also doesn't occur in any other browser at all (tested on Safari, Mozilla, Opera)

Any idea why this is happening? Is this just a browser bug?

Answer 1

This happens when you update from Chrome 55 to Chrome 56 (56.0.2924.87).
This is an increase in security enforcement.
It doesn't go away by restarting the browser, and it's not a bug.

Mountain View says it's hoping you don't ever encounter the message, because Certificate Authorities are required to stop issuing SHA-1 certificates in 2016. Just in case, Google plans to continue issuing warnings until Chrome completely stops supporting SHA-1 on January 1st, 2017. When that day comes, a website that still uses the function will trigger a fatal network error. (Source: Engadget.com)

If this happens, the most-likely cause is that your (or the website's) SSL-certificate uses SHA1.
SHA1 is broken, and SSL certificates using SHA1 are not secure anymore (it's now been a long time that Chrome showed this to you - now it blocks NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM).

Another likely cause is that your SSL-certificate expired
Also, you should disable backwards-compatiblity with SSL2 & SSL3 (Poodle Attack).
You should only be using TLS (SSL 3.1+).

To test your domain's SSL-certificate, you can use SSL labs SSL test.

To find out what exactly the issue is: Open the chrome developer console (CTRL + SHIFT + J OR F12) And change to the security tab

For more information:
https://support.google.com/chrome/answer/95617?visit_id=1-636221396724527190-3454695657&p=ui_security_indicator&rd=1

FYI:

SHA-1 has been growing weaker and more insecure everyday for a decade now, which is dangerous considering we tend to trust websites with "https://" in their URLs. Other browsers like Mozilla Firefox and Microsoft Edge also plan to stop supporting it in an effort to encourage website owners to switch to more secure SHA-2 certificates as soon as possible.

If you urgently need to get around it (you need to close all running instances of Chrome first - otherwise it won't work):

chrome --args --ignore-certificate-errors 

Please note: don't go online-banking or gmail'ing with those command-line settings active in your Chrome instance.

Answer 2

I had a similar issue recently. I was trying to access an https REST endpoint which had a self signed certificate. I was getting net::ERR_INSECURE_RESPONSE in the Google Chrome console. Did a bit of searching on the web to find this solution that worked for me:

1. Open a new tab in the same window that you are trying to make the API call.
2. Navigate to the https URL that you are trying to access programmatically.
3. You should see a screen similar this:
4. Click on Advanced > proceed to <url> and you should see the response (if there is one)
5. Now try making the API call through your script.