[tor-bugs] #29163 [Applications/Tor Browser]: Add an option or just ignore https+.onion domains

Thu Jan 24 02:55:33 UTC 2019

#29163: Add an option or just ignore https+.onion domains
--------------------------------------+-----------------------------------
 Reporter:  welkins                   |          Owner:  tbb-team
     Type:  task                      |         Status:  needs_information
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+-----------------------------------
Changes (by sysrqb):

 * cc: tom, gk, pospeselr, antonela (added)
 * priority:  Very High => Medium
 * status:  new => needs_information
 * severity:  Critical => Normal

Comment:

 I don't think this received as much discussion as it should/could have.
 Tom made a [ticket:23247#comment:7 comment] about it, but I didn't see any
 follow up. I think the fact onion sites are self-authenticating provides a
 somewhat strong argument for allowing self-signed TLS certificates without
 the interstitial. I worry about the malicious phishing site and the "you
 can trust the site, it has a lock icon" mentality everyone's been taught
 over the last decades, but I also see significant benefit in allowing TLS-
 over-onion with self-signed certs without a warning (or providing another
 mechanism for creating trusted certs).

 Just some thoughts.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29163#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online