[tor-bugs] #23247 [Applications/Tor Browser]: Communicating security expectations for .onion: what to say about different padlock states for .onion services
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Nov 29 17:10:58 UTC 2017
#23247: Communicating security expectations for .onion: what to say about different
padlock states for .onion services
--------------------------------------+--------------------------
Reporter: isabela | Owner: tbb-team
Type: project | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ux-team | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by tom):
Right now you can't get a DV onion cert. There's a recent thread on
drafting a ballot to allow them in the CAB Forum, with early support, but
there's no guarantee it will pass. No DV onion certs means no Let's
Encrypt. And once DV is allowed, LE would need to develop the software
needed to validate .onions automatically, which would take some time as
well.
---
My thoughts:
Graphics wise I think all of them look good.
I don't think we should put the word 'Onion' either though. In fact, doing
so overloads the location where EV data is displayed, so if I got a
company called 'Onion' I could make it look like I had an onion address!
I'm not sure what the (i) button is intended to show graphics wise. "There
is information for you to review here"? I presume it opens the current
doorhanger thing that lets you get certificate information and review
permissions.
I don't know if there was a path forward agreed upon that was not
documented here, but policy-wise this is a bit different from what I at
least envisioned.
1) An HTTP Onion is Orange. Orange indicates a warning state. I don't
believe we should communicate that HTTP Onion is 'warning'. It's almost
always better than HTTP in fact, which we give 'grey' treatment. So I
think HTTP+Onion should either be Grey or Green.
2) EV HTTPS + Onion has an info bubble but does not display the company
name like EV does for HTTPS. I think we should be consistent here and
display the company name here.
3) I don't understand why HTTPS onion lacks a (i) but self-signed HTTPS
onion has it. Both of them should let you review the information. So the
(i) definetly is implying some sort of state about the website, but it's
confusing what I'm supposed to be able to draw from this.
4) It seems like we need to make a decision: is a self-signed SSL cert on
a .onion:
a) completely meaningless
b) an indicator something is wrong
c) an indicator of trust.
These would correspond to:
a) the same icon as a http onion
b) an orange or red icon
c) a green icon
I don't think a self-signed cert is an indicator of trust, so it wouldn't
automatically mean it gets a green icon. I also don't think it's an
indicator something is wrong, so automatically giving it orange or red are
out too. So it should match an HTTP Onion icon *but* allow you to view
the certificate in the doorhanger.
My 2 cents.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23247#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list