[tbb-bugs] #23247 [Applications/Tor Browser]: Communicating security expectations for .onion: what to say about different padlock states for .onion services
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Nov 29 12:33:10 UTC 2017
#23247: Communicating security expectations for .onion: what to say about different
padlock states for .onion services
--------------------------------------+--------------------------
Reporter: isabela | Owner: tbb-team
Type: project | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ux-team | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by asn):
Replying to [comment:8 tom]:
> There's also the notion of showing different icons for self-signed
.onion (grey onion?) vs DV-ca-signed .onion (green onion?)
Hm. Reason this idea is good:
- Will be easier for users to distinguish between real facebook onion (DV-
ca-signed green onion) and phishing facebook onion (self-signed grey
onion).
Reason this idea is bad:
- It basically gives no way for onion site operators to get the green
onion without paying the CA mafia.
How does Let's Encrypt blend into the above idea? Would it give a green-
onion or not? If yes, then phishers can just use a Let's Encrypt cert to
get the green onion anyway.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23247#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list