[tbb-bugs] #21321 [Applications/Tor Browser]: .onion HTTP is shown as non-secure in Tor Browser

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Jun 25 21:20:51 UTC 2017

#21321: .onion HTTP is shown as non-secure in Tor Browser
 Reporter:  cypherpunks                          |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:  new
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Blocker                              |     Resolution:
 Keywords:  ff52-esr, tbb-usability, ux-team,    |  Actual Points:
  TorBrowserTeam201706                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:

Comment (by mrphs):

 Replying to [comment:27 yawning]:
 > Mozilla and Firefox defines "secure enough not to show a warning" as
 "HTTPS with a CA signed cert".
 > The prerequisite to changing the behavior is to present a strong case
 for "they are wrong, and the definition of 'secure enough not to show a
 warning' should be 'HTTP over .onion, *or* HTTPS with a CA signed cert'",
 where "strong case" is along the lines of "the security properties are at
 least identical, if not better".
 > "People get confused" is not a good reason to redefine what secure
 means, as a matter of general principle, and disabling the warnings is
 redefining what secure means.
 > (If people think the warning should go away all together, then they're
 even more wrong.)

 Do you have a good reason to believe they've even considered `.onion` when
 they were designing this warning message? Because I don't and I do happen
 to follow major browser UX discussions when it comes to security. Do you
 have a link that I missed about them having this conversation and
 knowingly deciding that onions aren't secure?

 This warning is misleading and half-baked. It's been designed so people
 get notified when they're submitting information and particularly
 passwords in plain text. Obviously not the case with `.onion`.

 If we wanna talk about how Mozilla defines security, -and I'm a bit
 cautious of going down that rabbit hole-, we should consider that they've
 decided to block .onions at DNS level by default with
 `network.dns.blockDotOnion` so people don't accidentally paste .onion URLs
 in Firefox thinking it's Tor Browser. That decision has a very clear
 message, and that is to Mozilla that .onion users aren't supposed to use
 Firefox for their business and they should stick to Tor Browser. That by
 itself explains they clearly didn't have to even think about how this
 might look for .onion users in TB, because that's our job to do and not
 theirs. So no, we're not "redefining" what secure means. We're fixing a
 problem of not seeing an update coming and thinking what it means for our
 users. The problem of having reactionary UX instead of a pro-active one.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21321#comment:31>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list