[tor-bugs] #23247 [Applications/Tor Browser]: Communicating security expectations for .onion: what to say about different padlock states for .onion services

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Aug 17 21:24:39 UTC 2017


#23247: Communicating security expectations for .onion: what to say about different
padlock states for .onion services
--------------------------------------+--------------------------
 Reporter:  isabela                   |          Owner:  tbb-team
     Type:  project                   |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  ux-team                   |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by tom):

 I think there are more states not in that doc (specifically related to
 Mixed Content) - or at least there are nuances of the single mixed content
 line:

 1. HTTPS Site with HTTP Onion Subresources
 1. HTTPS Site with HTTPS Onion Subresources
 1. HTTPS Site with HTTPS Self-Signed Onion Subresources
 1. HTTP Onion with HTTP Subresources
 1. HTTPS Onion with HTTP Subresources
 1. HTTPS Self Signed Onion with HTTP Subresources
 1. HTTP Onion with HTTPS Subresources
 1. HTTPS Onion with HTTPS Subresources
 1. HTTPS Self Signed Onion with HTTPS Subresources

 1-3 can be described as "A clearnet website embeds onion stuff"
 4-6 as "An onion website embeds clearnet stuff over HTTP"
 7-9 as "An onion website embeds clearnet stuff over HTTPS"

 (I think that's comprehensive...)


 There are five padlock styles:
 - Green with EV Banner
 - Green
 - Strikethrough
 - Red
 - Missing Entirely.


 My opinion about behavior:

 1. Onion over HTTP: Green
 2. Onion with Self-Signed HTTPS: Green
 3. Onion with CA-Issused EV Cert: Green with EV Banner [0]
 4. Mixed Content Scenarios:
   1. HTTPS Site with HTTP Onion Subresources: Green (no mixed content
 warning) - but we remove the EV Banner if present [1]
   1. HTTPS Site with HTTPS Onion Subresources: Green or Green w/ EV Banner
 (no mixed content warning)
   1. HTTPS Site with HTTPS Self-Signed Onion Subresources: Green (no mixed
 content warning) - but we remove the EV Banner if present [1]
   1. HTTP Onion with HTTP Subresources: Red
   1. HTTPS Onion with HTTP Subresources: Red
   1. HTTPS Self Signed Onion with HTTP Subresources: Red
   1. HTTP Onion with HTTPS Subresources: Strikethrough
   1. HTTPS Onion with HTTPS Subresources: Strikethrough
   1. HTTPS Self Signed Onion with HTTPS Subresources: Strikethrough


 [0] Security concern: Make sure EV banner only displays for CA-signed EV
 certs and not self-signed EV certs!
 [1] Removing the EV banner might be difficult, but in the ideal situation
 I think we should.

 I reserve the right to change my mind, but this is what I am thinking
 right now.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23247#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list