[tbb-bugs] #21831 [Applications/Tor Browser]: "Connection is Not Secure" warning.
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Mar 28 13:25:57 UTC 2017
#21831: "Connection is Not Secure" warning.
------------------------------------------+----------------------
Reporter: jonathanfemideer | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+----------------------
Browsing to certain HTTPS-protected web pages using Tor Browser 6.5.1,
with the Tor Browser Security Settings slider set to "High", results in a
red diagonal bar being drawn through the padlock that sits to the left of
the address bar. Here is a URL for such a web page:
https://www.cis.upenn.edu/~bcpierce/unison/download/releases/stable
/unison-manual.html
Clicking the crossed-out padlock while visiting that web page in Tor
Browser 6.5.1 results in a tooltip divided into three panes: top-left,
top-right, and bottom. The top-left pane says:
www.cis.upenn.edu
Connection is Not Secure
You have disabled protection on this page.
The top-right pane has an arrow. Clicking on that arrow replaces the
tooltip contents with this:
This website contains content that is not secure (such as scripts) and
your connection to it is not private.
Information you share with this site could be viewed by others (like
passwords, messages, credit cards, etc.).
[https://support.mozilla.org/1/firefox/45.8.0/Linux/en-US/mixed-content
Learn More]
At the bottom of the new tooltip contents, there is a button marked
"Enable protection" and another button marked "More Information".
Clicking the "Enable protection" button appears to have no effect, except
that it closes the tooltip and refreshes the page.
Clicking the "More Information" button launches the Page Info dialogue
box.
It seems to me that, ideally:
- The protection referred to by the "Enable protection" button should be
enabled by default (at least when the security slider is set to "High",
and maybe also for "Medium" and/or "Low"), thereby avoiding both the
security risk and the corresponding warning.
- Failing that, the protection referred to by the "Enable protection"
button should at least take effect when that button is clicked, thereby
avoiding both the security risk and the corresponding warning, at least
for that website.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21831>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list