Closed arthuredelstein closed 1 year ago
bumping this to p2 since tor browser is now doing this: https://betanews.com/2022/07/17/tor-browser-11-5-is-here-with-https-only-mode-by-default-and-automatic-censorship-circumvention/
is it still open? @diracdeltas and @arthuredelstein ? can you assign me this? and guide me how will I going to set it up locally?
Hey! Is anyone working on this issue? If not can you assign me this? Also it would be really helpful if you can provide any resources which can help us in this issue.
nobody has been working on this, PRs are welcome. but if you get stuck let us know and we can figure out someone at brave to assign.
I'll be taking on this issue shortly. @ArshErgon or @Sranjan0208: if you already started working on this, please let me know -- you can reach me at aedelstein AT brave DOT com.
I'd like to take a look at it, but can you give any hints at what files to look at in the src code?
Related issue: https://github.com/brave/brave-browser/issues/1136
Ideas for QA tests on Brave Desktop:
Test 1 Please test the following insecure websites in a normal window, a Private Windows, and a Private Window with Tor.
In normal and Private Windows, these sites should load with http://
. In a Private Window with Tor, the browser should show an interstitial warning page with the message "The connection to $website is not secure." For each website, if you press "Continue to Site" it should load the website under http://
. If you press "Go back" it should show the previous page.
Test 2 Please test the following upgradable websites in a normal window, a Private Window, and a Private Window with Tor:
http://upgradable.arthuredelstein.net
In normal and Private Windows, these sites should load with http://
. In a Private Window with Tor, the site should automatically load with https://
. No warning pages should be shown.
Test 3 Please test the following self-upgrading secure websites in a normal window, a Private Window, and a Private Window with Tor:
These sites should automatically upgrade to https://
in all windows without any warning pages.
Test 4 Please test the following .onion sites in a Private Window with Tor:
http://
, but should load without showing an error page because .onion sites are secure without requiring https://
.PASSED
usingBrave | 1.45.74 Chromium: 106.0.5249.55 (Official Build) beta (x86_64) |
---|---|
Revision | 4d5f098fca6ab7f4b6b7c240be3d9593c2357709-refs/branch-heads/5249@{#531} |
OS | macOS Version 11.7 (Build 20G817) |
http://http.badssl.com/
normal window | private window | private window w/tor, interstitial | fully loaded |
---|---|---|---|
![]() |
![]() |
![]() |
![]() |
http://insecure.arthuredelstein.net
normal window | private window | private window w/tor, interstitial | fully loaded |
---|---|---|---|
![]() |
![]() |
![]() |
![]() |
http://example.com
normal window | private window | private window w/tor |
---|---|---|
![]() |
![]() |
![]() |
http://upgradable.arthuredelstein.net
normal window | private window | private window w/tor |
---|---|---|
![]() |
![]() |
![]() |
http://brave.com
normal window | private window | private window w/tor |
---|---|---|
![]() |
![]() |
![]() |
http://github.com
normal window | private window | private window w/tor |
---|---|---|
![]() |
![]() |
![]() |
riseup | Tor Project | Keybase |
---|---|---|
![]() |
![]() |
![]() |
@arthuredelstein thank you so much for the testcases! 🙏
@stephendonner Thank you for the great QA! To confirm -- does "full" refer to what happens after pressing the "continue to site" button?
@stephendonner Thank you for the great QA! To confirm -- does "full" refer to what happens after pressing the "continue to site" button?
Yes, let me change it to "fully loaded" for clarify 👍
Verification PASSED
using
Brave | 1.46.83 Chromium: 107.0.5304.68 (Official Build) beta (64-bit)
-- | --
Revision | a4e93e89d3b3df1be22214603fba846ad0183ca5-refs/branch-heads/5304@{#991}
OS | Windows 11 Version 21H2 (Build 22000.1098)
Case 1: http://http.badssl.com/
http://http.badssl.com/
site loaded with http://
in normal
and Private Windows
http://http.badssl.com/
site in private window with TOR
interstitial warning
page with the message The connection to $website is not secure.
Continue to Site
, the website loads under http://
.Go back
in the interstitial page, navigated to previous page.Normal | Private window | Private window w/TOR, interstitial | Fully loaded, continue | previous page, Go back |
---|---|---|---|---|
![]() |
![]() |
![]() |
![]() |
![]() |
Case 2: http://insecure.arthuredelstein.net/
http://insecure.arthuredelstein.net/
site loaded with http://
in normal
and Private Windows
http://insecure.arthuredelstein.net/
site in private window with TOR
interstitial warning
page with the message The connection to $website is not secure.
http://
.Normal | Private window | Private window w/TOR, interstitial | Fully loaded, continue | previous page, click back |
---|---|---|---|---|
![]() |
![]() |
![]() |
![]() |
![]() |
Case 1: http://example.com/
http://example.com/
site loaded with http://
in normal
and Private Windows
http://example.com/
site loaded automatically with https://
in private window with TOR
. No warning pages shown.Normal | Private window | Private window w/TOR |
---|---|---|
![]() |
![]() |
![]() |
Case 2: http://upgradable.arthuredelstein.net/
http://upgradable.arthuredelstein.net/
site loaded with http://
in normal
and Private Windows
http://upgradable.arthuredelstein.net/
site loaded automatically with https://
in private window with TOR
. No warning pages shown.Normal | Private window | Private window w/TOR |
---|---|---|
![]() |
![]() |
![]() |
http://brave.com/
- site should automatically upgrade to https://
in all windows without any warning pages.http://github.com
- site should automatically upgrade to https://
in all windows without any warning pages.Case 1: http://brave.com/
Normal | Private window | Private window w/TOR |
---|---|---|
![]() |
![]() |
![]() |
Case 2: http://github.com
Normal | Private window | Private window w/TOR |
---|---|---|
![]() |
![]() |
![]() |
.onion
sites in a Private Window with Tor
- PASSEDCase 1: loaded following .onion
sites using http://
, and no error page displayed because .onion
sites are secure without requiring https://
.
- Riseup: http://vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion/
- Tor Project: http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/
- Keybase: http://keybase5wmilwokqirssclfnsqrjdsi7jdir5wy7y7iu3tanwmtp6oid.onion/ - (site was down for this URL so not tested)
Riseup | Torproject |
---|---|
![]() |
![]() |
@MadhaviSeelam Thanks for the great QA. Unfortunately upgradable.arthuredelstein.net was temporarily offline, but I have fixed it now.
@arthuredelstein thanks for fixing the URL. Was going to reach out to you infact and that worked. Now I need help again from you. Keybase
onion site is throwing an error This site can't be reached
I have the same problem with Keybase, it seems like their Onion site/gateway might be down.
Thanks @fmarier for confirming!!
Verified with
Brave 1.46.106 Chromium: 107.0.5304.110 (Official Build) beta (64-bit)
Revision 2a558545ab7e6fb8177002bf44d4fc1717cb2998-refs/branch-heads/5304@{#1202}
OS Linux
To enhance the safety of users of Tor windows, we should enable HTTPS-Only Mode by default.
HTTPS-Only Mode is currently opt-in. When it is enabled, attempting to visit an insecure website results in the following interstitial page from Chromium:
We can consider whether to add more information to the message on this page that is Tor-specific.