Bug 23247: Communicating security expectations for .onion (!187) · Merge requests · The Tor Project / Applications / Tor Browser

richard requested to merge richard/tor-browser:40570 into tor-browser-91.0b5-11.0-2 Aug 02, 2021

Encrypting pages hosted on Onion Services with SSL/TLS is redundant (in terms of hiding content) as all traffic within the Tor network is already fully encrypted. Therefore, serving HTTP pages from an Onion Service is more or less fine.

Prior to this patch, Tor Browser would mostly treat pages delivered via Onion Services as well as pages delivered in the ordinary fashion over the internet in the same way. This created some inconsistencies in behaviour and misinformation presented to the user relating to the security of pages delivered via Onion Services:

HTTP Onion Service pages did not have any 'lock' icon indicating the site was secure
HTTP Onion Service pages would be marked as unencrypted in the Page Info screen
Mixed-mode content restrictions did not apply to HTTP Onion Service pages embedding Non-Onion HTTP content

This patch fixes the above issues, and also adds several new 'Onion' icons to the mix to indicate all of the various permutations of Onion Services hosted HTTP or HTTPS pages with HTTP or HTTPS content.

Strings for Onion Service Page Info page are pulled from Torbutton's localization strings.

Compare to: 8d7fb952

Closes #40570 (closed)

Edited Aug 02, 2021 by richard

Bug 23247: Communicating security expectations for .onion

Merge request reports