[tbb-bugs] #21321 [Applications/Tor Browser]: .onion HTTP is shown as non-secure in Tor Browser

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jun 9 21:25:31 UTC 2017

#21321: .onion HTTP is shown as non-secure in Tor Browser
 Reporter:  cypherpunks                       |          Owner:  tbb-team
     Type:  task                              |         Status:  new
 Priority:  High                              |      Milestone:
Component:  Applications/Tor Browser          |        Version:
 Severity:  Major                             |     Resolution:
 Keywords:  ff52-esr, tbb-usability, ux-team  |  Actual Points:
Parent ID:                                    |         Points:
 Reviewer:                                    |        Sponsor:

Comment (by mrphs):

 Ditto the last 2 comments by 'cypherpunks'. And also ditto on what geko
 said about on removing the password warning as a first step. (how I wish
 we had 'like' or '+1' buttons on trac)

 I've explained how I think about this issue to some extent on #22545. As
 someone who directly works with people at immediate risk and as someone
 with UX background, I believe this warning has actually became a security
 issue as it misleads people to take far less secure route.

 I happen to believe while debating the security features of 'HTTPS' vs
 'HTTP .onion' vs 'HTTPS .onion' is healthy and necessary to have, it's
 outside of the urgent needs of this ticket.

 To help you understand where I come from... People in various movements
 and situations are adopting using Tor Browser and .onion as their most
 reliable and secure way of communicating, and this is the result of a
 greater community pushing for this for a long period of time. Building
 trust relationship with often-exploited communities is extremely
 difficult. Now after they've learned to trust Tor Browser to do the right
 thing, and they see this warning, that affects both their trust with Tor
 in general (for being inconsistent) and then the person who taught them
 how to use Tor. I don't want to vent too much here so I think these are
 the actionable items we have for this problem:

 1- Remove the password warning. (this is immediate)
 2- Remove the padlock warning. (also immediate, preferably at the same
 time with 1)
 3- Improve our messaging with user about .onion URLs in Tor Browser to
 make sure we're consistent (more long-term but prevents us from situations
 like this)

 then at the same time we can also have two conversations:

 - What's the way we want to recommend people to use .onion
 - And how do we convince Mozilla and others to adopt based on our decision
 on that

 I guess the reason I'm leaving this comment is that we don't get into a
 rabbit hole that gets us away from fixing this immediate need.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21321#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list