[tbb-bugs] #30024 [Applications/Tor Browser]: Objective 2, Activity 3: Notify users if a current website they are visiting on Tor Browser has an onion service version

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon May 20 15:55:16 UTC 2019 

#30024: Objective 2, Activity 3: Notify users if a current website they are
visiting on Tor Browser has an onion service version
--------------------------------------+--------------------------------
 Reporter:  pili                      |          Owner:  tbb-team
     Type:  project                   |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:  #30281                    |         Points:
 Reviewer:                            |        Sponsor:  Sponsor27-must
--------------------------------------+--------------------------------

Comment (by antonela):

 Hi. Making .onions discoverable is a must for Tor Browser.

 We have three different ways (for now) for routing Onion addresses. Each
 of them affects differently on two major UI components: The URL bar and
 the circuit display at the Identity doorhanger. I've started mapping each
 UX and describing how those UI components get affected:

 1. alt-svc
 2. alt-onion
 3. https-e

 **1. alt-svc**

 1. User type the known URL with a regular domain.
 2. On server-side, the user gets redirected.
 3. The Onion icon gets added at the URL bar. The URL could remain. The
 circuit display shows the Onion address [#27590]

 [[Image(https://trac.torproject.org/projects/tor/raw-
 attachment/ticket/30024/prompt-onion-1.gif,700)]]

 **2. alt-onion**

 When users are visiting a site which also has an Onion service available,
 the ideal user flow allows users to opt-in to visiting an onion. It is
 what alt-onion can offer to us, as follow:

 1. User type the known URL with a regular domain.
 2. If the Onion exists, the URL bar suggest an .onion.
 3. User click the suggestion
     1. Tor Browser should save this opt-in and only prompt first-time
 users
 4. The Onion Icon gets added at the URL bar. The URL could remain. The
 circuit display shows the Onion address.

 [[Image(https://trac.torproject.org/projects/tor/raw-
 attachment/ticket/30024/prompt-onion-2.gif,700)]]


 **3. https-e**

 With this option, we are introducing the opportunity to have a readable
 and memorable onion domain name. That option will make sense when we
 expose the .onion domain at the URL bar.

 1. User type the known URL with a regular domain.
 2. If the rule exists, the URL bar suggest a .onion
     1. If the rule doesn't exist, we could encourage users to add it. That
 will be discussed at [#30029].
 3. User click the suggestion
     1. Tor Browser should save this opt-in to only prompt first-time users
 4. The Onion Icon gets added at the URL bar. The URL changes to show the
 .onion domain. The circuit display shows the Onion address.

 **The case of the long Onion addresses**

 We will continue to have long Onion addresses for a while. What if we
 improve the way we are showing them at the circuit display? We reported
 some UI bugs, like #26322. I propose to try a truncated version of the URL
 that is also easy to verify and copy.

 `p53lf57qovyuvwsc6xnrppyply3vtqm7l6pcobkmyqsiofyeznfu5uqd.onion →
 p53lf5....fu5uqd.onion`

 Could we apply any heuristic that help us to define how many characters
 are smart to have at the start and and the end? Can we allow users to copy
 the full address from the circuit display?


 **Some general thoughts and questions:**

 - We should prioritize the exposure of Onion domains at the URL bar if
 they are readable and memorable for various reasons. On the product side,
 we should reinforce the communication about the benefits of using Onion
 services.

 - Onion addresses should get exposed at the circuit display *always*.

 - How valuable is for us showing Onion addresses at the URL in the alt-svc
 scenario?

 - What should we do with vanity domains? Do they become useless if any pet
 solution is available?

 - If as a user I'm logged in foo.com and I opt-in/getredirected to the
 .onion, will I lose my login? Should we notice users about this?

 - Can Tor Browser prompt users for opt-in to Onions just the first time
 they visit the site?

 - In a good world, we need a section at the Global Preferences
 `about:preferences#security` where users can 1. allow/deny Onions
 prioritization 2. See a list of mapped/saved onions.


 [[Image(https://trac.torproject.org/projects/tor/raw-
 attachment/ticket/30024/30024%20-%20TB9%20-%20onions.png,700)]]

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30024#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list