[tor-bugs] #32645 [Applications/Tor Browser]: Update URL bar onion indicators

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jan 21 10:06:31 UTC 2020 

#32645: Update URL bar onion indicators
--------------------------------------+--------------------------------
 Reporter:  antonela                  |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  ux-team                   |  Actual Points:
Parent ID:  #30025                    |         Points:
 Reviewer:                            |        Sponsor:  Sponsor27-must
--------------------------------------+--------------------------------

Comment (by antonela):

 Replying to [comment:4 pospeselr]:
 > So having read the above documents and playing around with what browsers
 are doing these days, I have some thoughts.
 >
 > With Firefox and Chrome not giving a visual indication of DV/EV certs I
 think we should follow suit. As such, I think the Onion + CA Issued DV/EV
 Cert should just drop the lock icon, and just show the Onion icon.
 >
 Agreed.

 > For mixed content Firefox uses the HTTPS lock icon with a red slash
 through it, while chromium based browsers don't have an icon but instead
 red 'Not Secure' text in the address bar. By default it looks like Firefox
 blocks HTTP content from HTTPS pages and has to be explicitly loaded by
 the user via the (I) icon drop-down so most users wouldn't even see this.
 If we're going to have a separate Onion icon for onion URLs, perhaps we
 should follow Firefox here and do a Onion with a red slash.
 >
 Yes, that is exactly what we have on stable nowadays. I'm attaching here
 the slashed onion icon and also the Mixed Content scenario; I named it
 `Onion Security Broken`.

 >
 > Though that said, what is the purpose of communicating to the user that
 they are using an onion service? Firefox is using the lock there to
 indicate that your connection is secure, while Chromium et al are going
 further and using the space to explicitly indicate when a connection **is
 not** secure.
 >
 The entire experience here is to communicate with users when they are
 using an onion service. It is relevant because it allows us to set up an
 expectation about how to implement Tor's user-facing features for other
 vendors.

 > I'm kind of inclined to agree with the idea behind this trend being that
 the more information we try to cram up there, the less useful it is and
 the more probable it is that important info is ignored. I'd actually
 really like to see Firefox go the route Chromium is and explicitly put in
 a flashing red {{{Not secure}}} label on unencrypted HTTP sites.
 >
 I tend to agree. We can pursue Firefox to have more intense flashing red
 {{{Not secure}}}. Should we have better overall security warnings in Tor
 Browser? Do you think this is a feature we might want to upstream? The
 Firefox team worked with security warnings
 [https://blog.mozilla.org/security/2019/10/15/improved-security-and-
 privacy-indicators-in-firefox-70/, recently].

 > Ok, on to the hanger. I think the Onion service should probably keep the
 lock icon for 'Connection Secure with Tor'. Using the same icon in two
 separate sections is a bit weird.
 >
 Agreed. Having a different icon from the URL bar is weird too. We can
 solve this same-double-icon situation moving the circuit display to the
 second level navigation. It will carry other issues (for instance, we may
 want to inform users about this change). I think that the circuit display
 is a nice feature for any kind of user in the Tor Browser and maybe it is
 nice to have it on the first seek.

 > teor and arma mention in #23875 that there isn't a way to determine how
 many relays there are after your half of the circuit to a hidden service,
 so rather than hard-coding 3 'Relay' we need something else. I'm partial
 to arma's suggestion of having a nebulous 'cloudy' thing there.
 >
 I'd like to explore this idea. We can show the same graph to all kinds of
 circuits and we could allow users to expand the specific circuit data at a
 different information level. I filled #### for it.

 > We should also try and pick a themed color for the 'New Circuit for this
 Site' button, rather than the hard-coded blue we currently use. With the
 built-in Dark theme it doesn't look the best.
 >
 I'd love to iterate the main circuit display button within this iteration
 too. I'd follow Firefox approach here and I'd use a wording that reflects
 better what Tor Browser is doing. What do you think about this? `Flush
 Circuit, Clear Cookies and Site Data...` Also, we can offer more info
 about Guards linking guards to a `support.torproject.org/tbb/guard` entry.

 ----

 If we are OK, the next step for me is exporting the assets we need for the
 implementation.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32645#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list