[tor-bugs] #21321 [Applications/Tor Browser]: .onion HTTP is shown as non-secure in Tor Browser

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jul 11 16:01:48 UTC 2017 

#21321: .onion HTTP is shown as non-secure in Tor Browser
-------------------------------------------------+-------------------------
 Reporter:  cypherpunks                          |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:  new
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Blocker                              |     Resolution:
 Keywords:  ff52-esr, tbb-usability, ux-team,    |  Actual Points:
  TorBrowserTeam201707                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by linda):

 The UX team triaged the ticket today with Geko and catalyst a part of the
 conversaion.

 We decided that keeping the padlock icon as is but removing the warning is
 the best course of action for now.

 The core issue here is that the lock icon indicates if it is http/https.
 But what users really want to know is if the website is secure or not.
 While turning the lock icon to look secure would be telling them what they
 want to know ("yes, it is secure"), it is lying to them (since the
 indicator technically means that it is or is not https).

 We have been discussing what we should do going forward--there were a lot
 of ideas, including: showing both an .onion icon and http/s icon and
 having a message for each combination of states, overriding the https and
 just showing the onion icon when on a .onion website (not messing with the
 https icon to lie, but to omit it), or focusing on just getting the user
 to use .onion AND https.

 The issue is complicated though: .onion sites are secure, but is it
 more/less/as secure as https? the answer is unclear. .onion sites can be
 easily be phishing sites due to their address, and has different security
 guarantees than https. What happens with loading http images on a .onion
 http site? etc. Any feedback welcome.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21321#comment:39>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list