[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #21321 [Applications/Tor Browser]: .onion HTTP is shown as non-secure in Tor Browser
#21321: .onion HTTP is shown as non-secure in Tor Browser
----------------------------------------------+--------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: task | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: ff52-esr, tbb-usability, ux-team | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
----------------------------------------------+--------------------------
Comment (by yawning):
Replying to [comment:13 gk]:
> I am not sure yet about how to deal with the various security indicators
in the browser UI (like padlock icon) but it seems to me we could make
sure that the scary password field warning does not show up anymore when
being on an HTTP .onion site. Even if we might disagree about how secure
exactly that mode is I feel it is sufficiently secure that the warning
against plain-HTTP password fields is not warranted. Does that sound like
a reasonable start?
As massively flawed and totally horrible as the CA system is, having a CA
signed TLS cert serves to bind the address to an external identity.
`.onion` address do not have this property. What assurance is there that
the address a user is entering their credentials to is the correct one?
And yes, DV certs exist. Normal FQDNs are not a UI disaster like the
current (and prop-224) `.onion`s are.
I'm open to being convinced otherwise, but I currently will be strongly
against blurring the lines between "http over onions" and "https".
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21321#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs