Automatically redirect .onion sites

Description of the issue:
I’m currently encountering some undesirable behavior when Automatically redirect .onion sites is enabled (under brave://settings/extensions):

  1. In a regular window, navigating to a webpage for which there exists an onion version, will result in the page opening both the onion version in a Private with Tor window, and the regular version in a regular new tab.
    This is a potential security risk, because visiting a page (or even any page from the same host) simultaneously through both Tor and directly, can identify you if your internet connection drops.

  2. In a Private with Tor window, navigating to a webpage for which an onion version exists, will open both the onion and the regular domains in the Private with Tor window.

  3. If Always use secure connections is enabled (under brave://settings/security), that will also be applied in the Private with Tor window. I.e. your attempt to connect to an onion site will be forced over TLS. Obviously, hardly any onion domains have TLS certification, so this leads to a rather pointless insecure connection warning asking whether you want to proceed.

How can this issue be reproduced?

  1. Enable Automatically redirect .onion sites under brave://settings/extensions
  2. Enable Always use secure connections under brave://settings/security
  3. Either enter the URL for, or click a link to any webpage that has an onion version, e.g. https://www.torproject.org/

Expected result:
When Automatically redirect .onion sites is enabled, navigating to a webpage for which an onion version exists, should only open the onion version in a Private with Tor window. If Always use secure connections is also enabled, Private with Tor window should pass onion domains (or at least those without TLS certificate) without throwing up an insecure connection warning.

Brave Version:
Brave: Version 1.34.81 (Chromium: 97.0.4692.99) (Official Build) (64-bit)
Brave: Version 1.35.100 (Chromium: 98.0.4758.87) (Official Build) (64-bit)

Additional Information:
Feel free to move to https://community.brave.com/c/misc/private-tabs-with-tor/35 if that seems more appropriate.

Automatically redirect .onion sites is working as expected but you have a good point. There is already an open issue, feel free to drop your concern there-

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.