.onion indicator for non-self-signed but non-trusted sites
With #23247 (moved) (really great addition btw!) implemented, I tried to visit https://www.ysp4gfuhnmj6b4mb.onion/
This page uses a custom CA, which is not trusted by tor browser (or any other browser by default) and is reachable through .onion with a correct CN in the certificate.
Now currently with TB 8.0 I get a "Your connection is not secure" (SEC_ERROR_UNKNOWN_ISSUER), but at the same time a green onion+padlock indicator. This is quite confusing.
Reading through #23247 (moved) I am not sure what the intended behavior would be. But self-signed certificates are trusted when accessed through .onion. From that point of view it does not make much sense to handle certificates signed by untrusted CAs differently.
My expectation would be to not see the untrusted issuer warning and get the green onion without padlock indicator.
Trac:
Username: o--