"Warning: Potential Security Risk Ahead" should ignore .onion TLD
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: k4w8gk44o4c0ogwwww4sw0ookok4gc44, Unassigned)
Details
User Agent: Mozilla
Steps to reproduce:
- Configure Firefox to use Tor SOCKS proxy.
- Open any .onion HTTPS websites.
Actual results:
Warning: Potential Security Risk Ahead
Firefox detected a potential security threat and did not continue to xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.onion. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.
What can you do about it?
The issue is most likely with the website, and there is nothing you can do to resolve it.
If you are on a corporate network or using anti-virus software, you can reach out to the support teams for assistance. You can also notify the website’s administrator about the problem.
Expected results:
Ignore certificate warning IF the expiration date is okay (not expired) AND Common name matches hostname (valid).
-
The .onion TLD connection is already encrypted by Tor itself.
-
There is absolutely no reason to shout "Potential Security Risk Ahead" because everything above onion connection is already secured and verified by Tor.
-
The message "Firefox detected a potential security threat" is clearly misleading. If you think https .onion is a threat you better mark http .onion is also a threat.
-
Mozilla already created some exceptions to onion domain:
dom.securecontext.whitelist_onions false
dom.security.https_only_mode.upgrade_onion false
network.dns.blockDotOnion true
network.http.referer.hideOnionSource false
|
||
Comment 1•4 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
|
||
Updated•4 years ago
|
Description
•