[tbb-bugs] #23247 [Applications/Tor Browser]: Communicating security expectations for .onion: what to say about different padlock states for .onion services

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Nov 30 08:28:05 UTC 2017

#23247: Communicating security expectations for .onion: what to say about different
padlock states for .onion services
 Reporter:  isabela                   |          Owner:  tbb-team
     Type:  project                   |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  ux-team                   |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:

Comment (by gk):

 Replying to [comment:13 tom]:
 > My thoughts:
 > Graphics wise I think all of them look good.
 > I don't think we should put the word 'Onion' either though. In fact,
 doing so overloads the location where EV data is displayed, so if I got a
 company called 'Onion' I could make it look like I had an onion address!
 > I'm not sure what the (i) button is intended to show graphics wise.
 "There is information for you to review here"? I presume it opens the
 current doorhanger thing that lets you get certificate information and
 review permissions.
 > I don't know if there was a path forward agreed upon that was not
 documented here, but policy-wise this is a bit different from what I at
 least envisioned.
 > 1) An HTTP Onion is Orange. Orange indicates a warning state. I don't
 believe we should communicate that HTTP Onion is 'warning'. It's almost
 always better than HTTP in fact, which we give 'grey' treatment. So I
 think HTTP+Onion should either be Grey or Green.
 > 2) EV HTTPS + Onion has an info bubble but does not display the company
 name like EV does for HTTPS. I think we should be consistent here and
 display the company name here.
 > 3) I don't understand why HTTPS onion lacks a (i) but self-signed HTTPS
 onion has it. Both of them should let you review the information. So the
 (i) definetly is implying some sort of state about the website, but it's
 confusing what I'm supposed to be able to draw from this.
 > 4) It seems like we need to make a decision: is a self-signed SSL cert
 on a .onion:
 > a) completely meaningless
 > b) an indicator something is wrong
 > c) an indicator of trust.
 > These would correspond to:
 > a) the same icon as a http onion
 > b) an orange or red icon
 > c) a green icon
 > I don't think a self-signed cert is an indicator of trust, so it
 wouldn't automatically mean it gets a green icon. I also don't think it's
 an indicator something is wrong, so automatically giving it orange or red
 are out too.  So it should match an HTTP Onion icon *but* allow you to
 view the certificate in the doorhanger.
 > My 2 cents.

 +1 to all of those. I have no clear opinion yet (either) on whether we
 should show an HTTP .onion as grey or green.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23247#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list