[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #27636 [Applications/Tor Browser]: .onion indicator for non-self-signed but non-trusted sites

To: undisclosed-recipients: ;
Subject: [tor-bugs] #27636 [Applications/Tor Browser]: .onion indicator for non-self-signed but non-trusted sites
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 11 Sep 2018 12:17:12 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 11 Sep 2018 08:17:21 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#27636: .onion indicator for non-self-signed but non-trusted sites
------------------------------------------+----------------------
     Reporter:  o--                       |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+----------------------
 With #23247 (really great addition btw!) implemented, I tried to visit
 https://www.ysp4gfuhnmj6b4mb.onion/

 This page uses a custom CA, which is not trusted by tor browser (or any
 other browser by default) and is reachable through .onion with a correct
 CN in the certificate.

 Now currently with TB 8.0 I get a "Your connection is not secure"
 (SEC_ERROR_UNKNOWN_ISSUER), but at the same time a green onion+padlock
 indicator. This is quite confusing.

 Reading through #23247 I am not sure what the intended behavior would be.
 But  self-signed certificates are trusted when accessed through .onion.
 From that point of view it does not make much sense to handle certificates
 signed by untrusted CAs differently.

 My expectation would be to not see the untrusted issuer warning and get
 the green onion *without* padlock indicator.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27636>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #27636 [Applications/Tor Browser]: .onion indicator for non-self-signed but non-trusted sites
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #27636 [Applications/Tor Browser]: .onion indicator for non-self-signed but non-trusted sites
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #27474 [Community/Tor Browser Manual]: update tb-manual build script
Next by Author: Re: [tor-bugs] #27429 [UX]: add https://invidio.us/ as a alternative to YouTube
Previous by thread: [tor-bugs] [Tor Bug Tracker & Wiki] Batch modify: #27356, #27390
Next by thread: Re: [tor-bugs] #27636 [Applications/Tor Browser]: .onion indicator for non-self-signed but non-trusted sites
Index(es):
- Author
- Thread