[tbb-bugs] #28005 [Applications/Tor Browser]: Officially support onions in HTTPS-Everywhere
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Feb 27 15:34:10 UTC 2020
#28005: Officially support onions in HTTPS-Everywhere
-------------------------------------------------+-------------------------
Reporter: asn | Owner: tbb-
| team
Type: defect | Status:
| needs_review
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tor-hs, https-everywhere, tor-ux, | Actual Points: 15
network-team-roadmap-november, network-team- |
roadmap-2020Q1, TorBrowserTeam202002 |
Parent ID: #30029 | Points: 20
Reviewer: mcs, sysrqb | Sponsor:
| Sponsor27-must
-------------------------------------------------+-------------------------
Comment (by antonela):
Thanks for your build acat! It works really smoothly on my end :)
Replying to [comment:21 acat]:
> Some comments:
>
> This implementation does not display `.tor.onion` in the urlbar if the
user has navigated to the corresponding `.onion` directly, only when it
has done so with `.tor.onion`. We also keep the human-memorable hostname
in the urlbar for navigations triggered from that page, as long as they
are in the same origin. This made the implementation a bit more
complicated than I would have liked, since we have to keep track for each
"tab" whether we should rewrite the urlbar to `.tor.onion` (we navigated
to a `.tor.onion`) or not (we navigated to .onion directly). The
implementation would be significantly simpler if we would treat the two
cases in the same way (always show `.tor.onion`, even if user navigated
directly to the corresponding .onion). But I'm not sure if that's
acceptable UX-wise. If so, we could do that in a next revision, although
that would require changes to https-everywhere (we should be able to ask,
for a given `.onion`, whether https-everywhere knows of some human-
memorable `.tor.onion`).
>
>
I really expect to render the memorable name at the URL bar in both cases:
using the .onion and using the .tor.onion. If it requires a patch on
https-e then we can work with https-e folks on it for the next release.
> Regarding the `Click to Copy` + ellipsis implementation in the circuit
display, something I'm not sure of is whether we should be copying just
the `.onion` domain, or the full URL. I would say I expect it to copy just
the domain (since that's the text we are showing), so I'm not sure if
that's fine as a solution for the "I want to copy the real `.onion` URL
when it's rewritten to `.tor.onion`" use case. Besides, should we also
show the trimmed .onion with ellipsis in the "Site information for ..."?
The mockups do not show that, in that case the name from the EV
certificate is used (Pro Public, Inc.).
>
>
The main reason for the `click to copy` feature is allowing users to
(manually) check integrity. So, yes. The circuit display should render the
onion address, always. I remember a discussion about using
(https://trac.torproject.org/projects/tor/ticket/30024#comment:4).,
trimmed addresses).
Also, we should use the memorable name at "Site information for.." header.
From now, memorable names are onion services alias. Something that might
be interesting for the next iteration is working on the second level
navigation of the identity doorhanger (Site Security) to improve the
information showed there. We may want to show the origin entire onionsite
address and also if it exists, data about certificates. There is room for
improvement on that section for advanced users.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28005#comment:24>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list