Opened 6 months ago

Closed 6 months ago

#30107 closed task (not a bug)

Self-sign .onion certificate (not CA) does not have padlock icon

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

  1. Create self-sign certificate.

Signed for '*.v3onionnamehere.onion' by '*.v3onionnamehere.onion'

  1. Configure server to use the certificate, with "https http2".
  1. Connect to https://hello.v3onionnamehere.onion
  1. "The certificate is not trusted because it is self-signed." > Add exception and continue.

Expected result:
URL bar shows Onion icon with small padlock icon.

Actual result:
URL bar shows only green Onion icon. Small padlock icon not displayed, but the connection itself is using https tls1.2.

Child Tickets

Change History (10)

comment:1 Changed 6 months ago by cypherpunks

Tor Browser 8.0.8

comment:2 Changed 6 months ago by gk

Resolution: not a bug
Status: newclosed

comment:3 Changed 6 months ago by cypherpunks

Resolution: not a bug
Status: closedreopened

Excuse me gk, I know that ticket.

The problem is:

Green onion + Padlock icon

https://iejideks5zu2v3zuthaxu5zz6m5o2j7vmbd24wh6dnuiyl7c6rfkcryd.onion/about
(cert mismatch, wrong hostname!!)

Green onion + Padlock icon

duckduckgo.com's onion

Green onion and *no* padlock (but connection is tls1.2)

https://hello.v3onionnamehere.onion
(hostname ok, just same issuer)

Why?

comment:4 Changed 6 months ago by cypherpunks

Reviewer: gk

comment:5 Changed 6 months ago by gk

Resolution: not a bug
Reviewer: gk
Status: reopenedclosed

IIRC the reasoning was to show the difference between a self-signed .onion and one with a proper CA cert.

comment:6 Changed 6 months ago by cypherpunks

Resolution: not a bug
Status: closedreopened

one with a proper CA cert.

I disagree. I've tested.

  1. Create self-sign CA authority.
  2. Create self-sign cert signed by #1 CA.
  3. Install certificate.

Result: onion + padlock.

Besides, any kind of https:// is padlock.
Why you can't display padlock for https://onion?

comment:7 in reply to:  6 Changed 6 months ago by gk

Resolution: not a bug
Status: reopenedclosed

Replying to cypherpunks:

one with a proper CA cert.

I disagree. I've tested.

  1. Create self-sign CA authority.
  2. Create self-sign cert signed by #1 CA.
  3. Install certificate.

"proper CA cert" = signed by an authority your browser trusts, so, yes.

But there is nothing more to say here in addition to the comments I made above. So, please don't reopen this bug, thanks.

comment:8 Changed 6 months ago by easymode

Resolution: not a bug
Status: closedreopened

The problem here is https:// should be display padlock icon.

So, please don't reopen this bug, thanks.

I suggest you to reopen this and fix your browser properly.
Current icon is very confusing.

comment:9 Changed 6 months ago by easymode

Clearnet env:
https:// links show pad lock icon

Onion env:
Onion icon and Padlock icon, if the protocol is https:.

"proper CA cert" = signed by an authority your browser trusts, so, yes.

Create self-sign CA authority.

TLDR?

comment:10 Changed 6 months ago by gk

Resolution: not a bug
Status: reopenedclosed

So, to keep some sanity here: If you look at the Google doc I linked to above then this ticket is about row two "Onion with Self-Signed HTTPS" without any in-browser trusted CA backing that cert up. And this is not a bug, as expressed more than one time. Don't reopen that ticket again. Otherwise I'll just ignore it and move on.

If you think there is a different scenario that needs to get treated differently compared to what we are doing today, please open a new bug.

Note: See TracTickets for help on using tickets.