[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #21321 [Applications/Tor Browser]: .onion HTTP is shown as non-secure in Tor Browser
#21321: .onion HTTP is shown as non-secure in Tor Browser
-------------------------------------------------+-------------------------
Reporter: cypherpunks | Owner: tbb-
| team
Type: task | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Blocker | Resolution:
Keywords: ff52-esr, tbb-usability, ux-team, | Actual Points:
TorBrowserTeam201706 |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by yawning):
Replying to [comment:19 mrphs]:
> I've explained how I think about this issue to some extent on #22545. As
someone who directly works with people at immediate risk and as someone
with UX background, I believe this warning has actually became a security
issue as it misleads people to take far less secure route.
How is using a site over Tor through an exit, with a CA signed TLS cert
any less secure than using an `onion` over HTTP.
> I happen to believe while debating the security features of 'HTTPS' vs
'HTTP .onion' vs 'HTTPS .onion' is healthy and necessary to have, it's
outside of the urgent needs of this ticket.
No.
Mozilla and Firefox defines "secure enough not to show a warning" as
"HTTPS with a CA signed cert".
The prerequisite to changing the behavior is to present a strong case for
"they are wrong, and the definition of 'secure enough not to show a
warning' should be 'HTTP over .onion, *or* HTTPS with a CA signed cert'",
where "strong case" is along the lines of "the security properties are at
least identical, if not better".
"People get confused" is not a good reason to redefine what secure means,
as a matter of general principle, and disabling the warnings is redefining
what secure means.
(If people think the warning should go away all together, then they're
even more wrong.)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21321#comment:27>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs