Encrypt all the things!

Anybody finding NordVPN is making some random and wrong choices about which sites to red flag as insecure, saw this from their support team in a forum:

Sometimes, servers present chains of certificates, each certifying the authenticity of the next one in the chain. In a situation where a user's computer trusts the root certificate but doesn’t trust the intermediate certificate in the chain, the full chain needs to be verified against the certificate store.

Our Threat Protection feature had a bug in the certificate verification algorithm where we didn’t support this scenario. We were only checking the certificate on the website itself, not going through the entire chain. Since the intermediate certificate, which we checked, was not trusted by Windows, it was flagged as a potentially bad one by Threat Protection. Meanwhile, the root certificate was verified and trusted by Windows but unchecked by Threat Protection.
Now, we will properly assemble the full chain from certificates presented by the server and verify the entire chain against the operating system certificate store.

This fix is set to roll out with the next version of the NordVPN Windows application - 7.16.