[tor-bugs] #23247 [Applications/Tor Browser]: Communicating security expectations for .onion: what to say about different padlock states for .onion services (was: creating padlock states for .onion services on tool bar)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Aug 17 20:57:37 UTC 2017
#23247: Communicating security expectations for .onion: what to say about different
padlock states for .onion services
--------------------------------------+--------------------------
Reporter: isabela | Owner: tbb-team
Type: project | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ux-team | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Description changed by linda:
Old description:
> Firefox (and other browsers) have created a set of states a site can have
> in relationship with ssl certificates, and how to communicate that to the
> user.
>
> Tor Browser has a particular state related to the padlock at the toolbar
> when it comes to .onion services.
>
> This is something that was discussed under this ticket:
>
> https://trac.torproject.org/projects/tor/ticket/21321
>
> Based on that discussion, we decided that the best solution would be
> treat .onion sites different when we are communicating these states for
> .onion sites at Tor Browser.
>
> The work on this ticket is to map all the current states Firefox has for
> ssl certificates on the padlock, and from there start to build a new way
> to communicate these states when they are related to a .onion sites.
>
> We start mapping them here:
>
> https://docs.google.com/document/d/1KHkj2DpmFMB0mjHEfehD5ztY2L0lQzKNtZqct1TXbmg/edit
>
> Is still pending the most difficult part of the work, which is to define
> what to do for .onion sites on those states.
New description:
= Background =
Firefox (and other browsers) have created a set of states a site can have
in relationship with ssl certificates, and how to communicate that to the
user.
Currently, Tor Browser doesn't communicate ideally to users that visit
onion sites--i.e. http + onion looks really scary with lots of warnings!
This is something that was discussed under #21321. We then realized that
we should look at all the different state + .onion combinations, and
carefully communicate what these mean to the user.
= Objective =
The work on this ticket is to map all the current states Firefox has for
ssl certificates on the padlock, and from there start to build a new way
to communicate these states when they are related to a .onion sites. We
started mapping them here:
https://docs.google.com/document/d/1KHkj2DpmFMB0mjHEfehD5ztY2L0lQzKNtZqct1TXbmg/edit
Is still pending the most difficult part of the work, which is to define
what to do for .onion sites on those states.
--
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23247#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list