Re: [tor-bugs] #21321 [Applications/Tor Browser]: .onion HTTP is shown as non-secure in Tor Browser

[Tor Bug Tracker & Wiki]

#21321: .onion HTTP is shown as non-secure in Tor Browser
-------------------------------------------------+-------------------------
 Reporter:  cypherpunks                          |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:  new
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Blocker                              |     Resolution:
 Keywords:  ff52-esr, tbb-usability, ux-team,    |  Actual Points:
  TorBrowserTeam201706                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by linda):

 Hi, the UX team has reviewed this ticket, and we recommend removing the
 warnings as soon as possible and working on messaging thereafter.

 I think that there are two problems to solve, 1) the password and padlock
 warnings are misleading users, telling them that something is secure when
 it isn't 2) educating users on what secure means. I think that we can, and
 should, solve these issues independently. Getting rid of the warnings will
 be a much better improvement than leaving them up, even if there is no
 explanation.

 Of course, it would be good to educate users on why .onion sites are
 secure. When we onboard users to Tor, we should mention .onion sites and
 other features on first use, and show information on .onion sites when
 they first visit an onion website. Additionally, we can also put a message
 when you click on or hover over the "secure" indicator (something like
 [https://share.riseup.net/#fi-f_QKZqY8pV8Kf0BXR9g this]) that says why
 .onion sites are safe, for people who are wondering why it is safe.

 I, Linda, especially agree with mrphs'  comment, who suggested:

 Replying to [comment:19 mrphs]:

 > 1- Remove the password warning. (this is immediate)
 > 2- Remove the padlock warning. (also immediate, preferably at the same
 time with 1)
 > 3- Improve our messaging with user about .onion URLs in Tor Browser to
 make sure we're consistent (more long-term but prevents us from situations
 like this)

 We're essentially recommending the same thing, with an emphasis on
 separating out 1+2 from 3.

 > I guess the reason I'm leaving this comment is that we don't get into a
 rabbit hole that gets us away from fixing this immediate need.

 +1, we should fix this issue, and solve on working on user understanding
 later. Ultimately, the warnings are more confusing and interrupting user
 flow.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21321#comment:34>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs