[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #23247 [Applications/Tor Browser]: Communicating security expectations for .onion: what to say about different padlock states for .onion services



#23247: Communicating security expectations for .onion: what to say about different
padlock states for .onion services
--------------------------------------+--------------------------
 Reporter:  isabela                   |          Owner:  tbb-team
     Type:  project                   |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  ux-team                   |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by tom):

 Talking about this with asn on irc the following came up. Is there is a
 difference between a self-signed certificate and other types of invalid
 ssl certificates?

 E.g. A self-signed cert with the correct name vs a CA-signed cert with the
 incorrect name.

 IF we show a green icon for a self-signed cert with the correct name,
 someone who is actually running a malicious onion and gets you to visit it
 and change all other situations (ca-signed cert with incorrect name) to
 one that gets you a green icon. So showing a warning page for any other
 situation provides no security. BUT maybe it provides the webmaster with
 an indicator that their server was misconfigured and is not sending the
 certificate they should send?

 (Alternately, maybe we don't want to send that indicator because it now
 requires webmasters who have a working example.com cert and configuration
 to not only deploy a .onion but deploy a new vhost pointing at the same
 config and serve that vhost a separate SSL cert which is configuration
 they could otherwise avoid.)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23247#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs