[tor-bugs] #21067 [- Select a component]: Self-signed, expired, invalid and mixed-content SSL certificates at middle security
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Dec 23 01:30:47 UTC 2016
#21067: Self-signed, expired, invalid and mixed-content SSL certificates at middle
security
--------------------------------------+-----------------
Reporter: i139 | Owner:
Type: defect | Status: new
Priority: Medium | Milestone:
Component: - Select a component | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
--------------------------------------+-----------------
when I access a site, with a self-signed, expired and invalid, I can add
it to exceptions, (or not; go back) when I add, this potentially harmful
domain can use JavaScript (because its use HTTPS; assuming we are using
middle slider).
should have a mechanism to forbidden those exceptions and mixed-content to
use JavaScript, because they can be harmful for user, especially assuming
the users don't make any know about the risks.
the options (in my view):
1. force HTTPS untrusted to use HTTP by default.
2. add a script or whatever, to disarm JavaScript on those sites (when
using mid security).
3. a very informative and scarry warning on it.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21067>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list