Opened 3 years ago

Closed 3 years ago

#21877 closed defect (duplicate)

HTTP only onion services are marked as insecure in TBB ff52 nightly

Reported by: blockflare Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Go to the onion service of torproject.org: http://expyuzz4wqqyqhjn.onion/

Click on the (i) icon in the left of expyuzz4wqqyqhjn.onion, this should appear:

Connection is Not Secure

Clicking further on ">":

Your connection to the site is not private. Information you submit could be viewed by others (like passwords, messages, credit cards, etc.)

Child Tickets

Change History (5)

comment:1 Changed 3 years ago by cypherpunks

Keywords: ff52-esr removed

Yes, HTTP is not HTTPS.

comment:2 in reply to:  1 ; Changed 3 years ago by blockflare

Replying to cypherpunks:

Yes, HTTP is not HTTPS.

But onion services are e2e encrypted, even if they don't have an EV Cert, they should not be marked as insecure and as "Information you submit could be viewed by others (like passwords, messages, credit cards, etc.)".

comment:3 in reply to:  2 Changed 3 years ago by cypherpunks

Replying to blockflare:

Replying to cypherpunks:

Yes, HTTP is not HTTPS.

But onion services are e2e encrypted, even if they don't have an EV Cert, they should not be marked as insecure and as "Information you submit could be viewed by others (like passwords, messages, credit cards, etc.)".

FF marks it as an insecure HTTP, but this is really not obvious.
(Also your ticket seems to be a duplicate of some earlier tickets.)

comment:4 Changed 3 years ago by blockflare

(Also your ticket seems to be a duplicate of some earlier tickets.)

Indeed! https://trac.torproject.org/projects/tor/ticket/21321

comment:5 Changed 3 years ago by gk

Resolution: duplicate
Status: newclosed

Yes. Resolving this as duplicate of #21321.

Note: See TracTickets for help on using tickets.