Opened 5 years ago

Closed 12 months ago

Last modified 12 months ago

#8686 closed enhancement (duplicate)

padlock or colored url bar for connections to hidden services

Reported by: proper Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-torbutton, tbb-usability, ux-team
Cc: proper, mcs, fdsfgs@…, catalyst Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by arma)

When connected to https protected websites, there is a nice looking padlock, sometimes if the website bought a Extended Validation Certificate, there is even a nice looking green bar.

Most people are not aware, that connections to hidden services are encrypted end-to-end [1] by default, thanks to Tor. This is a nice security feature and argument for Tor, which has very little public awareness.

Why not have a padlock or colored (black?) url bar for connections to hidden services?

This would also be a good way to teach people, that when they are using services like tor2web or onion.to, that those connections aren't encrypted end-to-end, while connections to hidden services using Tor Browser are.

Credit:
This is an original idea of mine. It has been discussed on reddit.


[1] To be pedantic, connections to hidden services are only encrypted end-to-end Tor to Tor, not exactly client (browser) to server.

Child Tickets

Change History (15)

comment:1 Changed 4 years ago by erinn

Component: TorBrowserButtonTor Browser
Keywords: tbb-torbutton added
Owner: changed from mikeperry to tbb-team

comment:2 Changed 3 years ago by mcs

Cc: mcs added
Keywords: tbb-usability added
Severity: Normal

Ticket #18152 is a duplicate. Quoting text from there:

Currently when the user visits a .onion address, the Tor Browser Bundle does the same thing it does for HTTP-only sites: it shows the generic globe next to the URL which, when clicked, states that "your connection to this website is not encrypted." Since it's a hidden service, this is clearly not true. Furthermore, clicking "more information" says that the website doesn't support encryption and that the request can be seen by other people. Obviously both are not true.

TBB should display something else instead, to indicate the security and privacy properties of the .onion domain.

comment:3 Changed 3 years ago by cypherpunks

Let the padlock indicate the TLS state. .onion sites can also use TLS over Tor for better security and more importantly authentication, Facebook is the example.

comment:4 Changed 3 years ago by adrelanos

Right. Showing TLS is useful. However, it's not an either/or. Both can be combined.

  • http only would look worst.
  • https better.
  • .onion even better.
  • .onion with TLS best.

comment:5 in reply to:  4 Changed 3 years ago by teor

Replying to adrelanos:

Right. Showing TLS is useful. However, it's not an either/or. Both can be combined.

  • http only would look worst.
  • https better.
  • .onion even better.
  • .onion with TLS best.

Firefox has recently changed the padlock icon to be different colours depending on whether the site is using an EV certificate or not, and whether there is mixed content (sorry, don't know which ESR).

We could extend this change when it hits Tor Browser's ESR series.

comment:6 Changed 2 years ago by gk

Clicking on the "i" icon should show that it is secure as well.

comment:7 Changed 16 months ago by arma

Description: modified (diff)

comment:8 Changed 16 months ago by tokotoko

Cc: fdsfgs@… added

comment:9 Changed 15 months ago by yawning

#22483 is a duplicate.

comment:10 Changed 14 months ago by catalyst

Cc: catalyst added

#21321 is related.

comment:11 Changed 14 months ago by catalyst

I think plaintext .onion is somewhere between http and https. There is end-to-end encryption with plaintext .onion, but its authenticated encryption properties are weaker than TLS. On the other hand, .onion provides some location privacy.

Maybe a one-dimensional scale is the wrong way to think about this.

comment:12 Changed 14 months ago by catalyst

#21952 has some related UX proposals, even though it's about redirecting/upgrading https to .onion sites.

comment:13 Changed 13 months ago by catalyst

Keywords: ux-team added

comment:14 Changed 12 months ago by linda

Resolution: duplicate
Status: newclosed

We're working on displaying appropriate icons and messages for different http/https and onion site combinations here: #8686.

comment:15 Changed 12 months ago by linda

Oops, I meant #23247.

Note: See TracTickets for help on using tickets.