Opened 2 years ago

Last modified 7 months ago

#27636 assigned defect

.onion indicator for non-self-signed but non-trusted sites

Reported by: o-- Owned by: pospeselr
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ux-team, TorBrowserTeam202008
Cc: asn, antonela, tbb-team Actual Points:
Parent ID: #33827 Points:
Reviewer: Sponsor: Sponsor27-must

Description

With #23247 (really great addition btw!) implemented, I tried to visit https://www.ysp4gfuhnmj6b4mb.onion/

This page uses a custom CA, which is not trusted by tor browser (or any other browser by default) and is reachable through .onion with a correct CN in the certificate.

Now currently with TB 8.0 I get a "Your connection is not secure" (SEC_ERROR_UNKNOWN_ISSUER), but at the same time a green onion+padlock indicator. This is quite confusing.

Reading through #23247 I am not sure what the intended behavior would be. But self-signed certificates are trusted when accessed through .onion. From that point of view it does not make much sense to handle certificates signed by untrusted CAs differently.

My expectation would be to not see the untrusted issuer warning and get the green onion *without* padlock indicator.

Child Tickets

Attachments (1)

27636.png (212.4 KB) - added by pospeselr 9 months ago.

Download all attachments as: .zip

Change History (10)

comment:1 Changed 2 years ago by gk

Cc: asn antonela pospeselr added
Keywords: ux-team added

Yes, I agree this is confusing. I am not sure about the right solution for it, though. #13410 feels related.

comment:2 Changed 2 years ago by o--

If I correctly understand the reasoning in #23247 a warning should be displayed if the certificate is "incorrect" (ie. wrong CN), which is the case in #13410. This might or might not be a good idea. Potentially it could indicate a misconfiguration on the server side (for example wrong virtual host).

The case reported in this ticket however is a "correct" but untrusted certificate. In this case I really see no argument for treating it differently than "correct" but self-signed.

But I agree that in general it is kind of difficult to define when the user should be warned, even though the onion address provides the end-to-end verified connection.

In both of those tickets it seems to me, that requiring the service providers to "downgrade" to a self-signed certificate to get the green connection without UI hassle is a step back. In this ticket the service uses a custom CA which some users might already trust. In the #13410 the site provides a certificate for the identical non-onion site (which is correct and trusted). Both options feel like they are at least not worse than a self-signed cert.

comment:3 Changed 20 months ago by pili

Sponsor: Sponsor27

comment:4 Changed 19 months ago by gk

Sponsor: Sponsor27Sponsor27-must

Add Sponsor27-must items for Objective 2

comment:5 Changed 19 months ago by pili

Parent ID: #30025

Changed 9 months ago by pospeselr

Attachment: 27636.png added

comment:6 Changed 9 months ago by pospeselr

In Tor Browser 9.0.4, this page first displays the 'this page is dangerous' page that you have to accept the risks to advance. The icon in the url bar is onion with lock, but clicking on it shows the padlock with warning icon and indicates that the page is not secure.

https://trac.torproject.org/projects/tor/raw-attachment/ticket/27636/27636.png

comment:7 Changed 8 months ago by pili

Owner: changed from tbb-team to pospeselr
Status: newassigned

comment:8 Changed 8 months ago by boklm

Cc: tbb-team added; pospeselr removed

comment:9 Changed 7 months ago by pili

Keywords: TorBrowserTeam202008 added
Parent ID: #30025#33827

This will no longer be done as part of S27 O2A4.

Moving all onion service certificate related tickets to a new project to be implemented in future.

Note: See TracTickets for help on using tickets.