[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #21321 [Applications/Tor Browser]: .onion HTTP is shown as non-secure in Tor Browser
#21321: .onion HTTP is shown as non-secure in Tor Browser
-------------------------------------------------+-------------------------
Reporter: cypherpunks | Owner: tbb-
| team
Type: task | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Blocker | Resolution:
Keywords: ff52-esr, tbb-usability, ux-team, | Actual Points:
TorBrowserTeam201707 |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by linda):
The UX team triaged the ticket today with Geko and catalyst a part of the
conversaion.
We decided that keeping the padlock icon as is but removing the warning is
the best course of action for now.
The core issue here is that the lock icon indicates if it is http/https.
But what users really want to know is if the website is secure or not.
While turning the lock icon to look secure would be telling them what they
want to know ("yes, it is secure"), it is lying to them (since the
indicator technically means that it is or is not https).
We have been discussing what we should do going forward--there were a lot
of ideas, including: showing both an .onion icon and http/s icon and
having a message for each combination of states, overriding the https and
just showing the onion icon when on a .onion website (not messing with the
https icon to lie, but to omit it), or focusing on just getting the user
to use .onion AND https.
The issue is complicated though: .onion sites are secure, but is it
more/less/as secure as https? the answer is unclear. .onion sites can be
easily be phishing sites due to their address, and has different security
guarantees than https. What happens with loading http images on a .onion
http site? etc. Any feedback welcome.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21321#comment:39>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs