Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#22545 closed enhancement (duplicate)

.onion sites are being labled with "insecure connection"

Reported by: mrphs Owned by: tbb-team
Priority: Immediate Milestone:
Component: Applications/Tor Browser Version:
Severity: Blocker Keywords: #ux-team #tbb-usabilty
Cc: catalyst Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by mrphs)

After the recent update to TB 7.0 I noticed that the Tor Browser warns users that their connection to .onion sites are NOT secure with their "lock icon" crossed with a red line.


And if the .onion site happens to have a password field, users gets a warning for entering their password on an insecure website.


I believe this is due to recent UX changes in Firefox to warn users against website without TLS and seems like they haven't considered .onion usecase in their design.

This terribly affects the experience of highly targeted users who might not have a clear understanding on the technology and are instructed to use .onion for their online and physical safety (eg for SecureDrop).

I'm going to mark this ticket as "blocker" because I witnessed it blocked a user from using an .onion site and Tor Browser all together. They switched back to chrome on clearnet as they were worried they're doing things wrong and that it might have compromised their security.

We should probably be a bit more careful with changes like that in future. Especially at a time like this.

Child Tickets

Attachments (2)

insecure_onion.png (104.8 KB) - added by mrphs 2 years ago.
insecure_onion_password.png (37.7 KB) - added by mrphs 2 years ago.

Download all attachments as: .zip

Change History (10)

Changed 2 years ago by mrphs

Attachment: insecure_onion.png added

Changed 2 years ago by mrphs

Attachment: insecure_onion_password.png added

comment:1 Changed 2 years ago by mrphs

Description: modified (diff)

comment:2 Changed 2 years ago by mrphs

It goes without saying that such changes significantly affect the push and efforts by the greater community to implement and adopt the use of .onion services and Tor Browser. Perhaps it wouldn't be a bad investment to have someone watch the changes of Firefox UX more closely.

comment:3 Changed 2 years ago by mrphs

To re-produce the issue, visit any .onion site with a password field: http://j6uhdvbhz74oefxf.onion/

Only those handful of sites with a TLS cert on top of .onion are not affected by this change.

Last edited 2 years ago by mrphs (previous) (diff)

comment:4 Changed 2 years ago by catalyst

Cc: catalyst added

This looks like another aspect of #21321. There seems to be some disagreement about whether HTTP .onion sites should be considered "secure" in the UI. #21952 is also somewhat related.

See also org/meetings/2017Amsterdam/Notes/OSUX.

comment:5 Changed 2 years ago by gk

Resolution: duplicate
Status: newclosed

Duplicate of #21321.

comment:6 Changed 2 years ago by mrphs

Resolution: duplicate
Status: closedreopened

I don't think this is a dup of #21321 because I don't think there's a need to convince mozilla about .onion being secure or not and my reasons are:

1) Using .onion on plain Firefox is indeed NOT secure and I think it is smart if Firefox users get this warning in case they've proxied their browser to use Tor.

2) I thought a bit about whether I should open this ticket here or on their ticketing system and I decided here because regardless of their decision, this seems to be our responsibility to make sure within the Tor Browser, .onion sites are labeled correctly.

So if you don't mind, I'm going to reopen this ticket.

comment:7 in reply to:  6 Changed 2 years ago by gk

Resolution: duplicate
Status: reopenedclosed

Replying to mrphs:

I don't think this is a dup of #21321 because I don't think there's a need to convince mozilla about .onion being secure or not and my reasons are:

1) Using .onion on plain Firefox is indeed NOT secure and I think it is smart if Firefox users get this warning in case they've proxied their browser to use Tor.

I think I am not convinced. Care to elaborate on that point in #21321?

2) I thought a bit about whether I should open this ticket here or on their ticketing system and I decided here because regardless of their decision, this seems to be our responsibility to make sure within the Tor Browser, .onion sites are labeled correctly.

So if you don't mind, I'm going to reopen this ticket.

We can have this conversation in #21321 as I think we can move both aspects forward (write a patch for Tor Browser in a way that it gets upstreamed to Mozilla and get Mozilla "convinced"). At least it would be useful to have both conversations in one place I think.

comment:8 Changed 2 years ago by mrphs

Fair enough, will continue on #21321 :)

Note: See TracTickets for help on using tickets.