[tbb-bugs] #21321 [Applications/Tor Browser]: .onion HTTP is shown as non-secure in Tor Browser

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jul 11 17:26:46 UTC 2017

#21321: .onion HTTP is shown as non-secure in Tor Browser
 Reporter:  cypherpunks                          |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:  new
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Blocker                              |     Resolution:
 Keywords:  ff52-esr, tbb-usability, ux-team,    |  Actual Points:
  TorBrowserTeam201707                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:

Comment (by cypherpunks):

 Replying to [comment:39 linda]:
 > The UX team triaged the ticket today with Geko and catalyst a part of
 the conversaion.
 bla-bla-bla, bla-bla-bla...
 > We decided that keeping the padlock icon as is but removing the warning
 is the best course of action for now.
 warning padlock icon without a warning message...
 > The core issue here is that the lock icon indicates if it is http/https.
 Wrong, see MCB...
 > But what users really want to know is if the website is secure or not.
 Is knife secure or not? Life? HTTPS? Who will tell them?
 > While turning the lock icon to look secure would be telling them what
 they want to know ("yes, it is secure"), it is lying to them (since the
 indicator technically means that it is or is not https).
 > We have been discussing what we should do going forward--there were a
 lot of ideas, including: showing both an .onion icon and http/s icon and
 having a message for each combination of states, overriding the https and
 just showing the onion icon when on a .onion website (not messing with the
 https icon to lie, but to omit it), or focusing on just getting the user
 to use .onion AND https.
 The latter.
 > The issue is complicated though: .onion sites are secure
 Lie. See about the knife.
 > , but is it more/less/as secure as https? the answer is unclear. .onion
 sites can be easily be phishing sites due to their address, and has
 different security guarantees than https. What happens with loading http
 images on a .onion http site? etc.
 It is more about the connection, than HTTPS. About onion routing only.
 > Any feedback welcome.
 Feedback is given when something is done. There are only cries of some
 sort of users that can't understand the difference between "site" and
 "connection" for now.

 Mozilla says:
 > Clicking on the “i” icon, will show the text, “Connection is Not Secure”
 and “Logins entered on this page could be compromised”.
 To make it clear and TRUE, add "HTTP" - “Connection is Not Secure HTTP”
 and upstream.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21321#comment:40>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list