Tor enabled windows are not secure

tor
#1

Hi, I was trying out your browser and was very impressed until I opened a private window with Tor. When I looked up at the address bar there was an exclamation mark which told me that I was not secure. This was there for all of the 2 minutes I had the window open. I think in the Tor browser you can only have the window a certain size and cannot resize it. Might this warning be because the Tor enabled window is full sized? I don’t know but I didn’t feel comfortable using the window with that warning there the whole time…maybe you should look into it…or could it be a bug or a problem that I’m having myself? I’m totally new to Brave so maybe I’m doing something wrong.

#2

Hi, @benni. If you mean the exclamation mark at the left of the address bar (which can also show as a lock or an x), like this (note: reuters.com is secure on page reload if not first load):
image
that refers to the security of the site you’re going to, not the implementation of Tor. It usually means the site either doesn’t have a security certificate (you’re connecting to http://site.com instead of https://site.com) or the certificate’s expired, so information exchanged is potentially vulnerable. When you click “Learn more” in the dropdown, it takes you the page Brave has addressing this here:
https://support.brave.com/hc/en-us/articles/360018185871-How-do-I-check-if-a-site-s-connection-is-secure-

That page is in the Private Browsing section of Brave’s help pages, and it might be a good idea to review others of them.

To see if your Tor connection is working, you can go to https://check.torproject.org/. It will tell you you’re not using the Tor Browser, which you aren’t, so don’t be surprised (you’re using Brave’s implementation of Tor in a browser, not Tor’s).

I’ve never heard of sizing limits on Tor browser windows, and Brave’s don’t launch fullscreen in any of my systems, but I don’t know that they would break Tor, anyway.

1 Like
#3

If you still have concerns about this, @benni, could you share what version of Brave you’re using (type brave://version in the address bar), whether it’s the general/Beta/Dev(eloper) release, your operating system (Windows/Mac/Linux), and what version of the OS you’re running? And if you’re comfortable doing so, one of the sites you visit(ed) that produces the exclamation mark?

I’m running Brave Dev 0.63.4 Chromium: 73.0.3683.67 (Official Build) dev (64-bit) on MacOS 10.14.3 (use Apple Menu–>About This Mac), for example, as well as Brave general release Version 0.60.48 Chromium: 72.0.3626.121 (Official Build) (64-bit) on Windows 10 10.0.17763 Build 17763 (Start–>Windows Administrative Tools–>System Information).

There’s also a suggested format for bug reporting found here: https://support.brave.com/hc/en-us/articles/360018228951-Submitting-a-Bug-Report.

#4

@hnktong: Thanks for explaining. I was getting the exclamation mark so does that mean the page was not secure? I will have another look at it again, especially for the drop-down menu. I didn’t know that was there but isn’t it a little pointless having a private window running Tor without https? Windows in Tor browser only fill some of the screen and the Tor project website says resizing is dangerous. I might have phrased this badly, Brave was not full screen rather the window just fit the screen. Sorry.

I am running Windows 10 Home and the version of Brave is the latest. I got it from the Brave website just 2 or 3 days ago if that’s any help. I was trying out an onion link in Brave (is that okay?) which was this: http://hss3uro2hsxfogfq.onion/ which worked. Unfortunately another thing I was trying with Brave (as I am new to it) was blocking images so it would load even faster. Images were not blocked in the private window which I was a little disappointed about. Should I file a bug report about these issues? Brave is very impressive otherwise.

#5

The security icon and security status of the website has nothing (or at least very little) to do with the implementation of Tor - it’s the “fault” of the site you’re visiting. I tried it in a Brave Private Window with Tor and got the circle-x “site not secure” warning, and clicking on it, found no reference to a security certificate, so my guess is they don’t have one and rely on Tor for security of information and/or don’t care as long as it’s on the .onion protocol (maybe .onion is inherently encrypted beyond Tor’s stuff - I don’t know).

If you visit a plain http:// site with a normal browser window (if you can find one these days or use a browser that doesn’t automatically switch to https://), it will show the same thing, because the site doesn’t have a security certificate.

Also, any Tor browser should give the exact same result as you and I got in a Brave Tor window. To test this hypothesis, I downloaded the latest Tor Browser for Mac from torproject.org and tried the link you supplied. Indeed, as you can see from the screenshot below, Tor says the same thing, because it’s the site’s fault. It simply isn’t due to Brave, and there is no bug causing it - it’s a feature. Unless someone’s heard otherwise, there’s nothing wrong with Brave’s Tor implementation as far as I know. As for whether it’s safe to visit a .onion site that gives that warning, I would have to do more research. I’d suggest hitting the Private Browsing pages I pointed you to before or go to torproject.org and look for stuff about the .onion protocol. Have a good night.

#6

The onion protocol is end-to-end encrypted between the onion service and your browser. Some onion sites also use HTTPS with a CA certificate because they want the standard browser padlock indicator for an HTTPS site or for another layer of slightly-more-modern TLS, but it’s not strictly necessary.

#7

So, @benni, what @toml is saying is that the .onion site you go to is secure even though your Tor browser window says it isn’t, and that any .onion site that is shown as secure in the address bar has a security certificate that isn’t necessary, but gives people a feeling of security. Please correct me if I’m wrong, @toml.

#8

The insecurity indication in this case is a bug: Brave ought to treat all connections to onion services as secure, because the onion name itself (like hss3uro2hsxfogfq.onion) is self-authenticating so there is no need for a third-party certification authority to certify that the owner of some web server is the owner of the name brave.com. We have an open issue for this: https://github.com/brave/brave-browser/issues/1135

1 Like