Opened 9 months ago

Closed 8 months ago

#29678 closed enhancement (duplicate)

"Insecure connection" icon display for non-HTTPS non-onion sites

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

+pref("security.insecure_connection_icon.enabled", true);

Child Tickets

Change History (12)

comment:1 Changed 9 months ago by Thorin

FYI: there's also a text option, and don't conflict with the PB mode only prefs: i.e I know TB always opens in PB mode (by default), but I have no idea what happens if you have both icon prefs as true, that in a normal window, the icon will appear.

/* display "insecure" icon and "Not Secure" text on HTTP sites ***/
user_pref("security.insecure_connection_icon.enabled", true); // [FF59+]
user_pref("security.insecure_connection_text.enabled", true); // [FF60+]
   // user_pref("security.insecure_connection_icon.pbmode.enabled", true); // [FF59+] private windows only
   // user_pref("security.insecure_connection_text.pbmode.enabled", true); // [FF60+] private windows only

comment:2 Changed 8 months ago by cypherpunks

Keywords: tbb-8.5 added

FYI? There is no information. Useless data only.

The proposal is to make all insecure connections homogeneously visible to users.

Why not include it in the alpha?

comment:3 Changed 8 months ago by gk

Keywords: tbb-8.5 removed

I wonder why this did not ride the release train in Firefox yet.

comment:4 Changed 8 months ago by cypherpunks

They don't have malicious exit nodes? Hah.

("This work is part of the preparation for moving to a completely HTTPS web, the idea being that in the near future insecure sites will be specially indicated, rather than secure sites."
https://groups.google.com/forum/#!topic/mozilla.dev.platform/xaGffxAM-hs/discussion)

comment:5 Changed 8 months ago by Thorin

FYI? There is no information. Useless data only.

Seriously? See #25660 , proposed by Arthur, where it is entirely conceivable that at some stage Tor Browser might flip the switch on the current position of starting in PB mode (because quite frankly almost all if not everything disabled in PB mode can also be done with prefs, and sanitizing each New Identity is not affected, but there may be a couple of things that need to be looked at, and the benefits IMO are worth it, but that's a discussion for elsewhere - even if right now gk seems to think its a wontfix).

Now imagine if in the meantime, Mozilla decide to turn on the pb mode only warnings, and this migrates to the Tor Browser. Now you'll find that your solution doesn't work. It pays to look at the code and understand that another pref influences the one you listed

Additionally, the text prefs were added since they are also an option for gk et al to consider

https://groups.google.com/forum/#!topic/mozilla.dev.platform/xaGffxAM-hs/discussion%5B1-25%5D

That's an almost four year old discussion. The upstream bug for the pref is https://bugzilla.mozilla.org/show_bug.cgi?id=1310447 (no need to provide the text one since its the same stuff, just one release later). Comment 59, currently the last one, says that "Chrome will be showing "Not Secure" for HTTP websites, starting in Chrome 68 (July 2018)" ... so I personally think that Mozilla have forgotten about this, and could be reminded to enable it, so it's handled upstream and would no longer need to be "patched" at this end once ESR68 is used - of course, flip the pref in the meantime.

Here: https://bugzilla.mozilla.org/show_bug.cgi?id=1434626 (FF60+) it was enabled for Nightly only - and after that a quick search reveals nothing. So I definitely think that Nightly test should be over and a decision made.

Last edited 8 months ago by Thorin (previous) (diff)

comment:6 Changed 8 months ago by gk

Summary: "Insecure connection" icon display for non-HTTPS sites"Insecure connection" icon display for non-HTTPS/non-onion sites

https://bugzilla.mozilla.org/show_bug.cgi?id=1310842 is another patch relevant here, but development seems to be stalled, too.

comment:7 Changed 8 months ago by cypherpunks

Summary: "Insecure connection" icon display for non-HTTPS/non-onion sites"Insecure connection" icon display for non-HTTPS non-onion sites

No patch is required (as you've already patched TBB ;) ).

Summary has been corrected to reflect the current behavior in TBB.

comment:8 in reply to:  7 ; Changed 8 months ago by gk

Replying to cypherpunks:

No patch is required (as you've already patched TBB ;) ).

Summary has been corrected to reflect the current behavior in TBB.

You mean if I enable those preferences AND I visit a non-https .onion those warning indicators are not shown?

comment:9 in reply to:  8 Changed 8 months ago by cypherpunks

Replying to gk:

Replying to cypherpunks:

No patch is required (as you've already patched TBB ;) ).

Summary has been corrected to reflect the current behavior in TBB.

You mean if I enable those preferences AND I visit a non-https .onion those warning indicators are not shown?

What those prefs? Don't read FUD, Georg ;)

This ticket has a one-liner that does exactly what you ask for.

comment:10 Changed 8 months ago by gk

Resolution: fixed
Status: newclosed

FWIW, this is a duplicate of #25204.

comment:11 Changed 8 months ago by cypherpunks

Resolution: fixed
Status: closedreopened

Instead of cleanly applying a well-tested patch, you think it is a duplicate of a one-year-old suggestion which ux team doesn't care to respond. What a mess.

comment:12 Changed 8 months ago by gk

Resolution: duplicate
Status: reopenedclosed

Still a duplicate.

Note: See TracTickets for help on using tickets.