[tor-bugs] #21831 [Applications/Tor Browser]: "Connection is Not Secure" warning.

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Mar 28 13:25:57 UTC 2017


#21831: "Connection is Not Secure" warning.
------------------------------------------+----------------------
     Reporter:  jonathanfemideer          |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+----------------------
 Browsing to certain HTTPS-protected web pages using Tor Browser 6.5.1,
 with the Tor Browser Security Settings slider set to "High", results in a
 red diagonal bar being drawn through the padlock that sits to the left of
 the address bar. Here is a URL for such a web page:

 https://www.cis.upenn.edu/~bcpierce/unison/download/releases/stable
 /unison-manual.html

 Clicking the crossed-out padlock while visiting that web page in Tor
 Browser 6.5.1 results in a tooltip divided into three panes: top-left,
 top-right, and bottom. The top-left pane says:

     www.cis.upenn.edu
     Connection is Not Secure
     You have disabled protection on this page.

 The top-right pane has an arrow. Clicking on that arrow replaces the
 tooltip contents with this:

     This website contains content that is not secure (such as scripts) and
 your connection to it is not private.
     Information you share with this site could be viewed by others (like
 passwords, messages, credit cards, etc.).
 [https://support.mozilla.org/1/firefox/45.8.0/Linux/en-US/mixed-content
 Learn More]

 At the bottom of the new tooltip contents, there is a button marked
 "Enable protection" and another button marked "More Information".

 Clicking the "Enable protection" button appears to have no effect, except
 that it closes the tooltip and refreshes the page.

 Clicking the "More Information" button launches the Page Info dialogue
 box.

 It seems to me that, ideally:

 - The protection referred to by the "Enable protection" button should be
 enabled by default (at least when the security slider is set to "High",
 and maybe also for "Medium" and/or "Low"), thereby avoiding both the
 security risk and the corresponding warning.

 - Failing that, the protection referred to by the "Enable protection"
 button should at least take effect when that button is clicked, thereby
 avoiding both the security risk and the corresponding warning, at least
 for that website.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21831>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list