[tbb-bugs] #23247 [Applications/Tor Browser]: Communicating security expectations for .onion: what to say about different padlock states for .onion services

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Nov 29 17:10:58 UTC 2017


#23247: Communicating security expectations for .onion: what to say about different
padlock states for .onion services
--------------------------------------+--------------------------
 Reporter:  isabela                   |          Owner:  tbb-team
     Type:  project                   |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  ux-team                   |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by tom):

 Right now you can't get a DV onion cert. There's a recent thread on
 drafting a ballot to allow them in the CAB Forum, with early support, but
 there's no guarantee it will pass. No DV onion certs means no Let's
 Encrypt. And once DV is allowed, LE would need to develop the software
 needed to validate .onions automatically, which would take some time as
 well.

 ---

 My thoughts:

 Graphics wise I think all of them look good.

 I don't think we should put the word 'Onion' either though. In fact, doing
 so overloads the location where EV data is displayed, so if I got a
 company called 'Onion' I could make it look like I had an onion address!

 I'm not sure what the (i) button is intended to show graphics wise. "There
 is information for you to review here"? I presume it opens the current
 doorhanger thing that lets you get certificate information and review
 permissions.


 I don't know if there was a path forward agreed upon that was not
 documented here, but policy-wise this is a bit different from what I at
 least envisioned.

 1) An HTTP Onion is Orange. Orange indicates a warning state. I don't
 believe we should communicate that HTTP Onion is 'warning'. It's almost
 always better than HTTP in fact, which we give 'grey' treatment. So I
 think HTTP+Onion should either be Grey or Green.

 2) EV HTTPS + Onion has an info bubble but does not display the company
 name like EV does for HTTPS. I think we should be consistent here and
 display the company name here.

 3) I don't understand why HTTPS onion lacks a (i) but self-signed HTTPS
 onion has it. Both of them should let you review the information. So the
 (i) definetly is implying some sort of state about the website, but it's
 confusing what I'm supposed to be able to draw from this.

 4) It seems like we need to make a decision: is a self-signed SSL cert on
 a .onion:
 a) completely meaningless
 b) an indicator something is wrong
 c) an indicator of trust.

 These would correspond to:
 a) the same icon as a http onion
 b) an orange or red icon
 c) a green icon

 I don't think a self-signed cert is an indicator of trust, so it wouldn't
 automatically mean it gets a green icon. I also don't think it's an
 indicator something is wrong, so automatically giving it orange or red are
 out too.  So it should match an HTTP Onion icon *but* allow you to view
 the certificate in the doorhanger.

 My 2 cents.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23247#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list