[tbb-bugs] #21321 [Applications/Tor Browser]: .onion HTTP is shown as non-secure in Tor Browser

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jul 20 08:37:10 UTC 2017

#21321: .onion HTTP is shown as non-secure in Tor Browser
 Reporter:  cypherpunks                          |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:  new
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Blocker                              |     Resolution:
 Keywords:  ff52-esr, tbb-7.0-issues, tbb-       |  Actual Points:
  usability, ux-team, TorBrowserTeam201707,      |
  GeorgKoppen201707                              |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:

Comment (by gk):

 Okay, just as an update on where we are with this issue. I have a
 workaround for the password part which I will post for review in a child
 ticket. While working on this I thought about good ways of upstreaming
 this patch and generally of a way to get .onion URLs not treated as non-
 secure anymore.

 The tricky thing is that there is a spec behind defining what secure
 contexts are (see: https://w3c.github.io/webappsec-secure-contexts/) and,
 looking at the algorithm defining "secure context", getting .onion domains
 treated as such is not going to fly without a spec change. I'd assume a
 lot of the stakeholders would show quite some resistance to that (probably
 with some good reasons).

 But we might be able to bypass that hassle by using other means provided
 in that spec, in particular treating .onions as potentially trustworthy
 origins (https://w3c.github.io/webappsec-secure-contexts/#is-origin-
 A potentially trustworthy origin is one which a user agent can generally
 trust as delivering data securely.

 This algorithms considers certain hosts, scheme, and origins as
 potentially trustworthy, even though they might not be authenticated and
 encrypted in the traditional sense.
 Mozilla folks indicated they would be amenable to this idea, which is very
 exciting. The upstream bug for that is
 https://bugzilla.mozilla.org/show_bug.cgi?id=1382359. Not sure if I get to
 rewriting my patches according to that idea before the next Tor Browser
 release. But the plan is to have this upstream bug fixed for esr59 at

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21321#comment:45>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list