[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #23247 [Applications/Tor Browser]: Communicating security expectations for .onion: what to say about different padlock states for .onion services



#23247: Communicating security expectations for .onion: what to say about different
padlock states for .onion services
--------------------------------------+--------------------------
 Reporter:  isabela                   |          Owner:  tbb-team
     Type:  project                   |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  ux-team                   |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by asn):

 Replying to [comment:8 tom]:
 > There's also the notion of showing different icons for self-signed
 .onion (grey onion?) vs DV-ca-signed .onion (green onion?)

 Hm. Reason this idea is good:

 - Will be easier for users to distinguish between real facebook onion (DV-
 ca-signed green onion) and phishing facebook onion (self-signed grey
 onion).

 Reason this idea is bad:

 - It basically gives no way for onion site operators to get the green
 onion without paying the CA mafia.

 How does Let's Encrypt blend into the above idea? Would it give a green-
 onion or not? If yes, then phishers can just use a Let's Encrypt cert to
 get the green onion anyway.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23247#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs