Opened 6 months ago

Last modified 35 hours ago

#27636 new defect

.onion indicator for non-self-signed but non-trusted sites

Reported by: o-- Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ux-team
Cc: asn, antonela, pospeselr Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor27


With #23247 (really great addition btw!) implemented, I tried to visit https://www.ysp4gfuhnmj6b4mb.onion/

This page uses a custom CA, which is not trusted by tor browser (or any other browser by default) and is reachable through .onion with a correct CN in the certificate.

Now currently with TB 8.0 I get a "Your connection is not secure" (SEC_ERROR_UNKNOWN_ISSUER), but at the same time a green onion+padlock indicator. This is quite confusing.

Reading through #23247 I am not sure what the intended behavior would be. But self-signed certificates are trusted when accessed through .onion. From that point of view it does not make much sense to handle certificates signed by untrusted CAs differently.

My expectation would be to not see the untrusted issuer warning and get the green onion *without* padlock indicator.

Child Tickets

Change History (3)

comment:1 Changed 6 months ago by gk

Cc: asn antonela pospeselr added
Keywords: ux-team added

Yes, I agree this is confusing. I am not sure about the right solution for it, though. #13410 feels related.

comment:2 Changed 6 months ago by o--

If I correctly understand the reasoning in #23247 a warning should be displayed if the certificate is "incorrect" (ie. wrong CN), which is the case in #13410. This might or might not be a good idea. Potentially it could indicate a misconfiguration on the server side (for example wrong virtual host).

The case reported in this ticket however is a "correct" but untrusted certificate. In this case I really see no argument for treating it differently than "correct" but self-signed.

But I agree that in general it is kind of difficult to define when the user should be warned, even though the onion address provides the end-to-end verified connection.

In both of those tickets it seems to me, that requiring the service providers to "downgrade" to a self-signed certificate to get the green connection without UI hassle is a step back. In this ticket the service uses a custom CA which some users might already trust. In the #13410 the site provides a certificate for the identical non-onion site (which is correct and trusted). Both options feel like they are at least not worse than a self-signed cert.

comment:3 Changed 35 hours ago by pili

Sponsor: Sponsor27
Note: See TracTickets for help on using tickets.