[tbb-bugs] #21321 [Applications/Tor Browser]: .onion HTTP is shown as non-secure in Tor Browser

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jun 9 08:10:15 UTC 2017

#21321: .onion HTTP is shown as non-secure in Tor Browser
 Reporter:  cypherpunks                       |          Owner:  tbb-team
     Type:  task                              |         Status:  new
 Priority:  High                              |      Milestone:
Component:  Applications/Tor Browser          |        Version:
 Severity:  Major                             |     Resolution:
 Keywords:  ff52-esr, tbb-usability, ux-team  |  Actual Points:
Parent ID:                                    |         Points:
 Reviewer:                                    |        Sponsor:

Comment (by yawning):

 Replying to [comment:13 gk]:
 > I am not sure yet about how to deal with the various security indicators
 in the browser UI (like padlock icon) but it seems to me we could make
 sure that the scary password field warning does not show up anymore when
 being on an HTTP .onion site. Even if we might disagree about how secure
 exactly that mode is I feel it is sufficiently secure that the warning
 against plain-HTTP password fields is not warranted. Does that sound like
 a reasonable start?

 As massively flawed and totally horrible as the CA system is, having a CA
 signed TLS cert serves to bind the address to an external identity.
 `.onion` address do not have this property.  What assurance is there that
 the address a user is entering their credentials to is the correct one?

 And yes, DV certs exist.  Normal FQDNs are not a UI disaster like the
 current (and prop-224) `.onion`s are.

 I'm open to being convinced otherwise, but I currently will be strongly
 against blurring the lines between "http over onions" and "https".

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21321#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list