Communicating security expectations for .onion: what to say about different padlock states for .onion services
= Background =
Firefox (and other browsers) have created a set of states a site can have in relationship with ssl certificates, and how to communicate that to the user.
Currently, Tor Browser doesn't communicate ideally to users that visit onion sites--i.e. http + onion looks really scary with lots of warnings! This is something that was discussed under legacy/trac#21321 (moved). We then realized that we should look at all the different state + .onion combinations, and carefully communicate what these mean to the user.
= Objective =
The work on this ticket is to map all the current states Firefox has for ssl certificates on the padlock, and from there start to build a new way to communicate these states when they are related to a .onion sites. We started mapping them here:
https://docs.google.com/document/d/1KHkj2DpmFMB0mjHEfehD5ztY2L0lQzKNtZqct1TXbmg/edit
Is still pending the most difficult part of the work, which is to define what to do for .onion sites on those states.
Final Version
https://docs.google.com/document/d/1bPrNLIl7Qy-sA7aTfElu80Xk2eXzTfH_5BGTOUDK8XU/edit