Opened 21 months ago

Last modified 4 weeks ago

#27590 assigned defect

Display .onion alt-svc route in the circuit display

Reported by: mahrud Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-circuit-display, ux-team, TorBrowserTeam202008
Cc: arthuredelstein, nicoo, notifier, antonela Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor27-must

Description

Now that #24553 has re-enabled alt-svc, the Circuit Display should probably indicate when the connection was made via an .onion alt-svc. Currently it doesn't.

Feel free to use this for testing: https://perfectoid.space/test.php
When the page turns green, click on the green https lock to see the circuit.

Child Tickets

Attachments (1)

2018-09-09-041041_2560x1440_scrot.png (75.9 KB) - added by mahrud 21 months ago.
Current behavior

Download all attachments as: .zip

Change History (20)

Changed 21 months ago by mahrud

Current behavior

comment:1 Changed 21 months ago by gk

Keywords: tbb-circuit-display added

comment:2 Changed 21 months ago by nusenu

I'm not sure if that should be a separate ticket but I would find it important to see that the page has been fetched via .onions directly from the URL bar without having to expand anything.

What do you think about using the onion-behind-a-lock icon for pages that are fetched via .onion (due to Alt-Svc)?

comment:3 Changed 21 months ago by mahrud

The trouble is that the connection is not consistently via .onion, only opportunistically. And besides, displaying one of the 10 .onions that, say, Cloudflare owns is kinda pointless.

comment:4 in reply to:  1 Changed 21 months ago by fuckingcf

Replying to gk:
Hey, gk! This ticket is primarily not about circuit display, but

What do you think about using the onion-behind-a-lock icon for pages that are fetched via .onion (due to Alt-Svc)?

and even more correct:
Why the hell doesn't it inform about using plain text .onion connections on https sites?!!! (No questions for https .onion alternate routes.)
Example of cf alt-svc: cflarexljc3rw355ysrkrzwapozws6nre6xsy3n4yrj7taye3uiby3ad.onion:443 (plain text (http)!!!)

comment:5 Changed 21 months ago by gk

So, here is an interesting issue: If you load the website the first time the circuit display actually shows part of the onion circuit (the one the client controls) *but* the website still says that the content got loaded over the regular Tor circuit. This is true. What happens is that a second request is issued for the favicon which uses the onion in the alt-svc header which then updates the circuit display even though the content did not get loaded over the .onion. What should the display show here?

comment:6 Changed 20 months ago by gk

Cc: nicoo added

#27949 is a duplicate.

comment:7 Changed 20 months ago by gk

Cc: notifier added

#28033 is a duplicate.

comment:8 Changed 20 months ago by antonela

Keywords: ux-team added

comment:9 Changed 15 months ago by pili

Sponsor: Sponsor27

comment:10 Changed 14 months ago by gk

Sponsor: Sponsor27Sponsor27-must

Add Sponsor27-must items for Objective 2

comment:11 Changed 14 months ago by gk

Leaving https://www.deepdotweb.com/ as an interesting example here. To make things more complicated: there are different Cf alt-svc involved it seems while it is not clear how much traffic they actually carry (in addition to the non-.onion one).

comment:12 Changed 14 months ago by pili

Parent ID: #30024

comment:13 in reply to:  5 Changed 12 months ago by gk

Replying to gk:

So, here is an interesting issue: If you load the website the first time the circuit display actually shows part of the onion circuit (the one the client controls) *but* the website still says that the content got loaded over the regular Tor circuit. This is true. What happens is that a second request is issued for the favicon which uses the onion in the alt-svc header which then updates the circuit display even though the content did not get loaded over the .onion. What should the display show here?

The favicon explanation/idea was actually a red herring. What we see is actually a circuit display issue (which we should deal with, though) in the sense that it does not show any alt-svc routing requests at all using the Cloudflare .onion service but rather an orthogonal one. This happens because once the Alt-Svc response header is processed the mapping is created and part of that is validating it (see: AltSvcCache::UpdateAltServiceMapping) which means in the https:// case just establishing a connection to the alt-svc host. And the circuit display gets in turn updated with the client side rend circuit caused by that validation request. There is no actual content sent back and forth here as it takes the non-alt-svc route.

Last edited 12 months ago by gk (previous) (diff)

comment:14 Changed 3 months ago by pili

Is #32777 a duplicate?

comment:15 Changed 3 months ago by pili

Same with #33525, is this one also related?

comment:16 Changed 2 months ago by pili

Cc: antonela added
Keywords: TorBrowserTeam202004 added
Owner: changed from tbb-team to acat
Status: newassigned

We will follow the same logic as we are using for the https-e .tor.onion naming UI:

  1. user types the regular domain
  2. user is "transparently" redirected to the alt-svc .onion
  3. the onion icon appears in the url bar
  4. the circuit display gets updated to show .onion address

In this case the circuit display will show the .onion address and the url bar will show the human memorable/meaningful name.

comment:17 Changed 2 months ago by pili

Parent ID: #30024

Unparenting for now. We will no longer work on this as part of S27 O2A3

comment:18 Changed 2 months ago by pili

Keywords: TorBrowserTeam202008 added; TorBrowserTeam202004 removed

comment:19 Changed 4 weeks ago by acat

Owner: changed from acat to tbb-team
Note: See TracTickets for help on using tickets.