Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
---+---
 Reporter:  tom|  Owner:  pospeselr
 Type:  defect | Status:
   |  needs_information
 Priority:  Very High  |  Milestone:
Component:  Applications/Tor Browser   |Version:
 Severity:  Normal | Resolution:
 Keywords:  ux-team, TorBrowserTeam202008  |  Actual Points:  7
Parent ID:  #33827 | Points:
 Reviewer: |Sponsor:  Sponsor27
---+---
Changes (by pili):

 * keywords:
 ux-team, TorBrowserTeam202003R, TorBrowserTeam202004,
 TorBrowserTeam202008
 => ux-team, TorBrowserTeam202008


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
-+-
 Reporter:  tom  |  Owner:
 |  pospeselr
 Type:  defect   | Status:
 |  needs_information
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  ux-team, TorBrowserTeam202003R,  |  Actual Points:  7
  TorBrowserTeam202004, TorBrowserTeam202008 |
Parent ID:  #33827   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor27
-+-
Changes (by pili):

 * sponsor:  Sponsor27-must => Sponsor27


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
+--
 Reporter:  tom |  Owner:  pospeselr
 Type:  defect  | Status:
|  needs_information
 Priority:  Very High   |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  ux-team, TorBrowserTeam202003R  |  Actual Points:  7
Parent ID:  #30025  | Points:
 Reviewer:  |Sponsor:
|  Sponsor27-must
+--
Changes (by sysrqb):

 * status:  needs_review => needs_information


Comment:

 We should discuss this and make sure we implement the functionality we
 actually want.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
+--
 Reporter:  tom |  Owner:  pospeselr
 Type:  defect  | Status:  needs_review
 Priority:  Very High   |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  ux-team, TorBrowserTeam202003R  |  Actual Points:  7
Parent ID:  #30025  | Points:
 Reviewer:  |Sponsor:
|  Sponsor27-must
+--

Comment (by pospeselr):

 So I took some time today and yesterday to investigate what it would take
 to implement alecmuffet's SOOC spec (which is basically a superset of the
 posted patch with additional limitations). It actually wouldn't be too
 terribly tricky to do and this is the general plan I'd follow to do so:

 > implement a  new OnionTrustDomain that implements 1.1 through 1.6 in the
 SOOC spec
 > - {{{OnionTrustDomain : public NSSCertDBTrustDomain {
 > - override {{{GetCertTrust}}} and have the implementation first call
 {{{NSSCertDBTrustDomain::GetCertTrust()}}}, and only on Success  override
 the {{{trustLevel}}} to {{{TrustLevel::Anchor}}} (some cert revocation
 checks happen here by default which I think we should *probably* keep)
 > - override {{{IsChainValid}}} and have implementation first call
 {{{NSSCertDBTrustDomain::IsChainValid()}}}, and only on Success perform
 the additional checks on our cert listed in the SOOC spec
 > in {{{CertVerifier::VerifyCert()}}, use the new {{{OnionTrustDomain}}}
 in a branch within the {{{case certificateUsageSSLServer:}}} block when
 {{{hostname}}} is an onion.

 SOOC spec: https://github.com/alecmuffett/onion-dv-certificate-
 proposal/blob/master/text/draft-muffett-same-origin-onion-certificates.txt
 Some previous discussion alecmuffet has had with Mozilla devs:
 
https://docs.google.com/document/d/1xE5eaDMiOKphDxijK9tfIWHUB-h-fTG8tb3laofXLSc/edit#

 Overall the new patch should be straight forward, with the bulk of the new
 checks living in {{{OnionTrustDomain::IsChainValid()}}}.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
+--
 Reporter:  tom |  Owner:  pospeselr
 Type:  defect  | Status:  needs_review
 Priority:  Very High   |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  ux-team, TorBrowserTeam202002R  |  Actual Points:  7
Parent ID:  #30025  | Points:
 Reviewer:  |Sponsor:
|  Sponsor27-must
+--
Changes (by pospeselr):

 * actualpoints:   => 7


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
+--
 Reporter:  tom |  Owner:  pospeselr
 Type:  defect  | Status:  needs_review
 Priority:  Very High   |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  ux-team, TorBrowserTeam202002R  |  Actual Points:
Parent ID:  #30025  | Points:
 Reviewer:  |Sponsor:
|  Sponsor27-must
+--

Comment (by cypherpunks):

 comment:26

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
+--
 Reporter:  tom |  Owner:  pospeselr
 Type:  defect  | Status:  needs_review
 Priority:  Very High   |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  ux-team, TorBrowserTeam202002R  |  Actual Points:
Parent ID:  #30025  | Points:
 Reviewer:  |Sponsor:
|  Sponsor27-must
+--

Comment (by cypherpunks):

 comment:16

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
+--
 Reporter:  tom |  Owner:  pospeselr
 Type:  defect  | Status:  needs_review
 Priority:  Very High   |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  ux-team, TorBrowserTeam202002R  |  Actual Points:
Parent ID:  #30025  | Points:
 Reviewer:  |Sponsor:
|  Sponsor27-must
+--

Comment (by pospeselr):

 Filed a ticket requesting review:
 https://bugzilla.mozilla.org/show_bug.cgi?id=1618382

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
+--
 Reporter:  tom |  Owner:  pospeselr
 Type:  defect  | Status:  needs_review
 Priority:  Very High   |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  ux-team, TorBrowserTeam202002R  |  Actual Points:
Parent ID:  #30025  | Points:
 Reviewer:  |Sponsor:
|  Sponsor27-must
+--

Comment (by tom):

 I would be inclined to but this up on bugzilla and ask dkeeler for
 review

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
+--
 Reporter:  tom |  Owner:  pospeselr
 Type:  defect  | Status:  needs_review
 Priority:  Very High   |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  ux-team, TorBrowserTeam202002R  |  Actual Points:
Parent ID:  #30025  | Points:
 Reviewer:  |Sponsor:
|  Sponsor27-must
+--
Changes (by pospeselr):

 * keywords:  ux-team => ux-team, TorBrowserTeam202002R
 * status:  assigned => needs_review


Comment:

 A surprisingly small patch seems to work for the scenarios we care about,
 and does nothing to the existing vanilla HTTPS website handling.

 Scenarios tested:

 || Scenario Name || Result ||
 || HTTP Onion || Onion Icon ||
 || HTTPS Onion Self-Signed || Onion Icon ||
 || HTTPS Onion Unknown CA || Onion Icon ||
 || HTTPS Onion EV || Onion Icon + EV Name ||
 || HTTPS Onion Wrong Domain || Onion Warning Icon, Warning Splash Screen
 ||
 || HTTPS Onion Expired Self-Signed Cert || Onion Warning Icon, Warning
 Splash Screen ||
 || HTTP(S) Onion + HTTP Script || Onion Slash Icon ||
 || HTTP(S) Onion + HTTP Content || Onion Warning Icon ||
 || HTTP(S) Onion + HTTPS Content || Onion Icon ||
 || HTTPS Onion + HTTP Form || Onion Ion + Warning Popup on Form Submit ||

 HTTP Onion + HTTP Form does not give the warning popup and is tracked to
 be fixed in #33298

 tor-browser: https://gitweb.torproject.org/user/richard/tor-
 browser.git/commit/?h=bug_13410_v1

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+
 Reporter:  tom   |  Owner:  pospeselr
 Type:  defect| Status:  assigned
 Priority:  Very High |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  ux-team   |  Actual Points:
Parent ID:  #30025| Points:
 Reviewer:|Sponsor:  Sponsor27-must
--+
Changes (by boklm):

 * cc: tbb-team (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+
 Reporter:  tom   |  Owner:  pospeselr
 Type:  defect| Status:  assigned
 Priority:  Very High |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  ux-team   |  Actual Points:
Parent ID:  #30025| Points:
 Reviewer:|Sponsor:  Sponsor27-must
--+
Changes (by pili):

 * status:  reopened => assigned
 * owner:  tbb-team => pospeselr


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  reopened
 Priority:  Very High |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  ux-team   |  Actual Points:
Parent ID:  #30025| Points:
 Reviewer:|Sponsor:  Sponsor27-must
--+

Comment (by gk):

 Closed #30108 as duplicate.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  reopened
 Priority:  Very High |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  ux-team   |  Actual Points:
Parent ID:  #30025| Points:
 Reviewer:|Sponsor:  Sponsor27-must
--+
Changes (by pili):

 * parent:   => #30025


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+---
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  reopened
 Priority:  Very High |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  ux-team   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:  Sponsor27
--+---
Changes (by pili):

 * sponsor:   => Sponsor27


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  reopened
 Priority:  Very High |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  ux-team   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by watt):

 Bring back the normal padlock icon for added exceptions! Now it's green as
 for valid certificates, which is nonsense!
 (And, really, add a dumb "I'm a stupid noob that wants no warns on https
 onions" checkbox to the cert error page.)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  reopened
 Priority:  Very High |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  ux-team   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by gk):

 * cc: welkins (added)


Comment:

 Resolved #29163 as a duplicate.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  reopened
 Priority:  Very High |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  ux-team   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by yawning):

 * cc: yawning (removed)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  reopened
 Priority:  Very High |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  ux-team   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by cypherpunks):

 @pastly

 Your argument is not valid at all, because you're saying onion is MITMed
 somehow.
 .onion is secure. If it's not secure, then why the Tor Project ignore
 mixed content for .onions?

 If HTTP .onion is not secure, you should verify each connection.
 HTTP .onion is secure >> then >> HTTPS .onion shall be secured because
 cert data is transported via HTTP channel.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  reopened
 Priority:  Very High |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  ux-team   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by cypherpunks):

 I spotted some V3 onions are using wildcard self-sign domain to sign their
 onions.

 https://yawning.torv3onionnamehere.onion/
 signed by: "*.torv3onionnamehere.onion"

 Because OpenSSL can't sign "yawning.torv3onionnamehere.onion" due to its
 maximum character length.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  reopened
 Priority:  Very High |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  ux-team   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by cypherpunks):

 Come on. You implemented "onion mixed content".

 Why not allow people to activate|deactivate "Ignore HTTPS onion
 certificate"?
 I really need it and I always had to see yellow security warning screen
 but hey, it's my onion!

 HTTP onion = ok
 HTTPS onion + AltMatch + DateNotExpired = MUST_PASS
 HTTPS onion + Alt Mismatch = ERROR (show security warn)
 HTTPS onion + Date Expired = ERROR

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  reopened
 Priority:  Very High |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  ux-team   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by pastly):

 If people want certificates for their onion services, they should go
 through the process of getting a valid one. Hopefully someday there will
 be an easy way to do so like Let's Encrypt. Until then, by removing the
 warning we're appeasing the users in this ticket but potentially hurting
 many more.

 Assumption: effectively no one checks the certificates they are served,
 even if they are self-signed.

 Scenario 1: the connection is MiTM'ed somehow (there's a bad guy between
 the user and his Tor process or there's a bad guy between the web server
 and the webmaster's Tor process). The bad guy can replace the cert without
 detection because either (1) the onion service was using a self-signed
 cert and no one checks that they continue to get the **same** self-signed
 cert, or (2) because the browser has disabled cert errors. **BAD**.

 Scenario 2: the onion service has a valid cert, but the connection is
 MiTM'ed somehow. Again, the bad guy can replace the cert without
 detection. **BAD**. With current behavior, there's at least a chance that
 the user will realize something is wrong and do something about it.

 Replying to [comment:1 vynX]
 > Don't let legacy crap impede us from fully enjoying end-to-end TLS
 (which is relevant when your Tor router isn't the same machine as your Tor
 browser).

 No, let's keep the legacy ~~crap~~ security assumptions so that users know
 their transport layer has been confirmed secure by a chain of trust. Tor
 secures between Tor processes. TLS secures between browser and web server.
 Let's not lie to users about the latter.

 Yes: boo CAs suck. Down with the system. Etc. Etc. But this is silly.
 What is more intelligent is encouraging users and onion service operators
 to run Tor as close as possible to the end software (AKA "just use Tor
 Browser" to users and "run Tor on the same machine as the webserver in
 most cases, or on a very secure access-controlled network if you're a big
 corporate machine" to onion service operators).

 Replying to [ticket:13410 tom]
 > I suspect it's fairly common (or at least, we hope it's common) for
 users to type ​https:// instead of ​http://.

 I suspect users don't type either one.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  reopened
 Priority:  Very High |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  ux-team   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by asn):

 * cc: asn (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  reopened
 Priority:  Very High |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  ux-team   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by tokotoko):

 * cc: fdsfgs@… (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  reopened
 Priority:  Very High |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  ux-team   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by linda):

 yawning: that sounds reasonable!

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  reopened
 Priority:  Very High |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  ux-team   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by yawning):

 * cc: yawning (added)


Comment:

 Replying to [comment:13 linda]:
 > After triaging, the ux team agrees that this warning should be removed.

 In the event that the warning is removed, the sandboxing team, requests
 that the removal be feature gated via a pref, so the new behavior can be
 disabled.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  reopened
 Priority:  Very High |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  ux-team   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by cypherpunks):

 * status:  closed => reopened
 * keywords:  #ux-team => ux-team
 * resolution:  fixed =>


Comment:

 No. See https://j6uhdvbhz74oefxf.onion/

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  closed
 Priority:  Very High |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:  fixed
 Keywords:  #ux-team  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by linda):

 * status:  new => closed
 * resolution:   => fixed


Comment:

 It turns out this is being addressed already, see: #21321

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Very High |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  #ux-team  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by linda):

 After triaging, the ux team agrees that this warning should be removed.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Very High |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  #ux-team  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by cypherpunks):

 Tor Browser
 Orfox

 Come on people. Just ignore HTTPS warning already.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Very High |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  #ux-team  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by cypherpunks):

 .onion is secure.
 == connection tranport is secure
 == HTTPS is secure!

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Very High |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  #ux-team  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by cypherpunks):

 * priority:  Medium => Very High


Comment:

 https://trac.torproject.org/projects/tor/ticket/22935

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  #ux-team  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by mrphs):

 * keywords:   => #ux-team
 * cc: mrphs (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by guido):

 * cc: guido@… (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by cypherpunks):

 related https://trac.torproject.org/projects/tor/ticket/21767

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by arma):

 See also https://blog.torproject.org/comment/268891#comment-268891 where a
 user (maybe the same user) has the same problem.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

[Tor Bug Tracker & Wiki]

#13410: Disable self-signed certificate warnings when visiting .onion sites
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by cypherpunks):

 Before TBB 7.0, user can bypass this check by installing "SkipCertError"
 addon.
 Now it is not possible.

 I want TBB to say "secure" when I visit HTTPS on .onion websites.

 "Connection is not secure" is just wrong.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs