[tbb-bugs] #27636 [Applications/Tor Browser]: .onion indicator for non-self-signed but non-trusted sites
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Sep 11 12:17:12 UTC 2018
#27636: .onion indicator for non-self-signed but non-trusted sites
------------------------------------------+----------------------
Reporter: o-- | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+----------------------
With #23247 (really great addition btw!) implemented, I tried to visit
https://www.ysp4gfuhnmj6b4mb.onion/
This page uses a custom CA, which is not trusted by tor browser (or any
other browser by default) and is reachable through .onion with a correct
CN in the certificate.
Now currently with TB 8.0 I get a "Your connection is not secure"
(SEC_ERROR_UNKNOWN_ISSUER), but at the same time a green onion+padlock
indicator. This is quite confusing.
Reading through #23247 I am not sure what the intended behavior would be.
But self-signed certificates are trusted when accessed through .onion.
From that point of view it does not make much sense to handle certificates
signed by untrusted CAs differently.
My expectation would be to not see the untrusted issuer warning and get
the green onion *without* padlock indicator.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27636>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list