-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Treat HTTP onion services as secure origins #1135
Comments
Relevant Tor Browser discussion: https://trac.torproject.org/projects/tor/ticket/23247 |
Why is this marked as P4? It definitely blocks the ability to use the subtle crypto API on onion sites which is pretty limiting. Especially since SSL certs are onerous to set up and in this case unnecesary, since onions are self authenticating. |
Bump - would really like to use Brave more, but this is a major blocker for me and I know I'm not alone. Any updates? |
2nd annual bump - this issue seems to get mentioned a lot, any traction? |
Yeah this feels like it'd be a small change, I know there was a branch for it a while back. Maybe if the maintainers had some advice on how to tackle this as an outside contributor that could be really helpful for anyone watching this thread. |
I literally have to stop using Brave because of this issue. Please address it! |
My service is impacted by this issue and it is forcing me to recommend the Tor browser over Brave, which I would prefer not to. |
Tor onion services don't have an HTTPS transport. But the onion services protocol provides more substantial confidentiality, integrity, and authenticity guarantees than HTTPS (in addition to anonymity). We should treat these connections as at least as secure as HTTPS origins, and provide an appropriate connection status indicator.
The text was updated successfully, but these errors were encountered: