Skip to content

.onion indicator for non-self-signed but non-trusted sites

With legacy/trac#23247 (moved) (really great addition btw!) implemented, I tried to visit https://www.ysp4gfuhnmj6b4mb.onion/

This page uses a custom CA, which is not trusted by tor browser (or any other browser by default) and is reachable through .onion with a correct CN in the certificate.

Now currently with TB 8.0 I get a "Your connection is not secure" (SEC_ERROR_UNKNOWN_ISSUER), but at the same time a green onion+padlock indicator. This is quite confusing.

Reading through legacy/trac#23247 (moved) I am not sure what the intended behavior would be. But self-signed certificates are trusted when accessed through .onion. From that point of view it does not make much sense to handle certificates signed by untrusted CAs differently.

My expectation would be to not see the untrusted issuer warning and get the green onion without padlock indicator.

Trac:
Username: o--

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information