Opened 4 months ago

Closed 4 months ago

#29163 closed task (duplicate)

Add an option or just ignore https+.onion domains

Reported by: welkins Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: tom, gk, pospeselr, antonela Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Tor Browser:
.onion domains -> show green onion icon
.onion with https:// (self-sign/CA signed) -> show green onion+padlock icon

But it shows this:

Your connection is not secure

The owner of community.xxxx.onion has configured their website improperly. To protect your information from being stolen, Tor Browser has not connected to this website.

.onion + http is already secure, so you should mark .onion+https(signed/self-signed with valid time length(not expired)) as secure.

Why this is so late?
Where is my donation money go?
I won't donate my another money if you don't add this in 2019.

https://community.letsencrypt.org/t/let-s-encrypt-tor-browser-5-5-2/11214
https://lists.torproject.org/pipermail/tor-talk/2015-August/038812.html

Child Tickets

Change History (2)

comment:1 Changed 4 months ago by sysrqb

Cc: tom gk pospeselr antonela added
Priority: Very HighMedium
Severity: CriticalNormal
Status: newneeds_information

I don't think this received as much discussion as it should/could have. Tom made a comment about it, but I didn't see any follow up. I think the fact onion sites are self-authenticating provides a somewhat strong argument for allowing self-signed TLS certificates without the interstitial. I worry about the malicious phishing site and the "you can trust the site, it has a lock icon" mentality everyone's been taught over the last decades, but I also see significant benefit in allowing TLS-over-onion with self-signed certs without a warning (or providing another mechanism for creating trusted certs).

Just some thoughts.

comment:2 Changed 4 months ago by gk

Resolution: duplicate
Status: needs_informationclosed

I think this report is a duplicate of #13410 or maybe #27636, it's not clear to me which. Duping it over to the first one.

Note: See TracTickets for help on using tickets.