[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #27636 [Applications/Tor Browser]: .onion indicator for non-self-signed but non-trusted sites



#27636: .onion indicator for non-self-signed but non-trusted sites
------------------------------------------+----------------------
     Reporter:  o--                       |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+----------------------
 With #23247 (really great addition btw!) implemented, I tried to visit
 https://www.ysp4gfuhnmj6b4mb.onion/

 This page uses a custom CA, which is not trusted by tor browser (or any
 other browser by default) and is reachable through .onion with a correct
 CN in the certificate.

 Now currently with TB 8.0 I get a "Your connection is not secure"
 (SEC_ERROR_UNKNOWN_ISSUER), but at the same time a green onion+padlock
 indicator. This is quite confusing.

 Reading through #23247 I am not sure what the intended behavior would be.
 But  self-signed certificates are trusted when accessed through .onion.
 From that point of view it does not make much sense to handle certificates
 signed by untrusted CAs differently.

 My expectation would be to not see the untrusted issuer warning and get
 the green onion *without* padlock indicator.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27636>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs