[tor-bugs] #23247 [Applications/Tor Browser]: Communicating security expectations for .onion: what to say about different padlock states for .onion services
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Dec 6 19:51:54 UTC 2017
#23247: Communicating security expectations for .onion: what to say about different
padlock states for .onion services
--------------------------------------+--------------------------
Reporter: isabela | Owner: tbb-team
Type: project | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ux-team | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by tom):
From the meeting today:
Icon Styles we can choose from. (You may need FF 58 to view these the way
tjr sees them.)
Green Padlock with EV Banner
Green Onion with EV Banner
Green Padlock: https://sha512.badssl.com/
Green Onion
The four above states indicate complete trust in the website. The EV
Banner is used to convey identity information, to positive indicate you
are talking to this specific *company* that operates this website.
Green Padlock with warning - https://self-signed.badssl.com/ (used for
excepted self-signed certs this one is WEIRD)
This state is weird. We shouldn't need it. It indicates that while the
connection is secure, the browser thought it might not be secure but you
went and told the browser no really this is secure.
Grey Padlock with warning - https://mixed.badssl.com/
Grey Onion with warning
These icons indicate that the website is mostly secure, but that there was
a problem with the configuration. It could be better, but it's not
INSECURE.
Grey Padlock with Red Strikethrough - http://http-password.badssl.com/
Grey onion with Red Strikethrough
These icons indicate something is DEFINETLY INSECURE
Grey Onion
Grey Padlock
These icons don't exist. We could make them, but we would need to define
what they mean.
Missing Entirely http://http.badssl.com/
This is a legacy state. It's for HTTP. It's insecure because it's not
actually secure, but we don't want to say it's insecure because we'd put
it on so much of the web we'd scare users.
---------------
I believe this table represents current thinking.
{{{
Onion over HTTP: ???????
Onion with Self-Signed HTTPS: ???????
Onion with CA-Issused DV Cert: Green Onion
Onion with CA-Issused EV Cert: Green Onion with EV Banner
Mixed Content Scenarios:
A HTTPS Site embeds onion:
HTTPS Site with HTTP Onion Subresources: Keeps
Original Padlock (whether that was Green or w/ Warning or whatever)
HTTPS Site with HTTPS Onion Subresources: Keeps
Original Padlock
HTTPS Site with HTTPS Self-Signed Onion Subresources: Keeps
Original Padlock
An Onion embeds HTTP:
HTTP Onion with HTTP Subresources: Grey onion with
Red Strikethrough
HTTPS Onion with HTTP Subresources: Grey onion with
Red Strikethrough
HTTPS Self Signed Onion with HTTP Subresources: Grey onion with
Red Strikethrough
An onion embeds HTTPS:
HTTP Onion with HTTPS Subresources: ???????
HTTPS Onion with HTTPS Subresources: Green Onion (with
EV Banner if EV certificate)
HTTPS Self Signed Onion with HTTPS Subresources: Grey Onion with
warning
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23247#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list