[tbb-bugs] #21321 [Applications/Tor Browser]: .onion HTTP is shown as non-secure in Tor Browser
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jul 11 17:26:46 UTC 2017
#21321: .onion HTTP is shown as non-secure in Tor Browser
-------------------------------------------------+-------------------------
Reporter: cypherpunks | Owner: tbb-
| team
Type: task | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Blocker | Resolution:
Keywords: ff52-esr, tbb-usability, ux-team, | Actual Points:
TorBrowserTeam201707 |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by cypherpunks):
Replying to [comment:39 linda]:
> The UX team triaged the ticket today with Geko and catalyst a part of
the conversaion.
bla-bla-bla, bla-bla-bla...
> We decided that keeping the padlock icon as is but removing the warning
is the best course of action for now.
warning padlock icon without a warning message...
> The core issue here is that the lock icon indicates if it is http/https.
Wrong, see MCB...
> But what users really want to know is if the website is secure or not.
Is knife secure or not? Life? HTTPS? Who will tell them?
> While turning the lock icon to look secure would be telling them what
they want to know ("yes, it is secure"), it is lying to them (since the
indicator technically means that it is or is not https).
Correct.
> We have been discussing what we should do going forward--there were a
lot of ideas, including: showing both an .onion icon and http/s icon and
having a message for each combination of states, overriding the https and
just showing the onion icon when on a .onion website (not messing with the
https icon to lie, but to omit it), or focusing on just getting the user
to use .onion AND https.
The latter.
> The issue is complicated though: .onion sites are secure
Lie. See about the knife.
> , but is it more/less/as secure as https? the answer is unclear. .onion
sites can be easily be phishing sites due to their address, and has
different security guarantees than https. What happens with loading http
images on a .onion http site? etc.
It is more about the connection, than HTTPS. About onion routing only.
> Any feedback welcome.
Feedback is given when something is done. There are only cries of some
sort of users that can't understand the difference between "site" and
"connection" for now.
Mozilla says:
> Clicking on the “i” icon, will show the text, “Connection is Not Secure”
and “Logins entered on this page could be compromised”.
To make it clear and TRUE, add "HTTP" - “Connection is Not Secure HTTP”
and upstream.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21321#comment:40>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list