Brave-browser: Handle .onions in all contexts

Created on 22 Aug 2018  路  10Comments  路  Source: brave/brave-browser

Description

It seems generally unlikely that anyone entering a .onion address into the address bar means to browse to that site without Tor or to make DNS requests regarding it. When someone does so, we should probably treat it as an oversight. At the very least, we should not tell anyone else about it (no DNS lookups, for instance). But perhaps we should do more and provide a useful notification or even smoothly redirect them to a Private Window with Tor?

Design

Show a "Open in Tor" button in the URL bar when user enters a .onion address or address with .onion available.

image

Dark Theme

Dark theme is supported:
image

Assets

Figma: https://www.figma.com/file/5THkuEtO2Ewn9LfqrHZP9a/?node-id=0%3A1

ODesktop QA Pass-Win64 QA Pass-macOS QTest-Plan-Specified QYes browser-laptop-parity featurprivate-browsing featurtor prioritP3 release-noteinclude
Source
picture tomlowenthal
👍14

Most helpful comment

I'm embarrassed that I didn't think of this before. I think it makes sense to treat .onion sites just like any other site if you open it in a non-private window. No need to make a big deal out of it, just quietly use Tor behind the scenes and modify the security indicator to indicate that Brave is relying on the onion protocol rather than HTTPS.

picture tomlowenthal on 12 Dec 2018
👍52

All 10 comments

The RFC on .onions agrees with you.

   2.  Application Software: Applications (including proxies) that
       implement the Tor protocol MUST recognize .onion names as special
       by either accessing them directly or using a proxy (e.g., SOCKS
       [RFC1928]) to do so.  Applications that do not implement the Tor
       protocol SHOULD generate an error upon the use of .onion and
       SHOULD NOT perform a DNS lookup.

From RFC 7686 - The ".onion" Special-Use Domain Name

Mikaela picture Mikaela on 8 Oct 2018

+1 from #1460 for auto switch for .onion domains

srirambv picture srirambv on 9 Oct 2018
👍1

Since .onion domains have very high levels of anonymity in the first place. You should be able to just send it to 127.0.0.1:9050 if TOR is running. For I2p many people utilize Foxy Proxy to auto-utilize I2p for .i2p domains (same can be done for .onion domains). Something similar could be done for Brave. This would be an awesome feature to have by default.

asddsaz picture asddsaz on 5 Nov 2018
👍2

Supporting .onion addresses in all contexts would be a game-changer for Brave as a browser. There is no browser doing that yet. To be honest, having a separate private Tor window is too much hassle. There is already TorBrowser as a separate window.
Navigating privacy friendly .onion addresses should be as easy as navigating normal web, not harder.

librarymd picture librarymd on 11 Dec 2018
👍32

I'm embarrassed that I didn't think of this before. I think it makes sense to treat .onion sites just like any other site if you open it in a non-private window. No need to make a big deal out of it, just quietly use Tor behind the scenes and modify the security indicator to indicate that Brave is relying on the onion protocol rather than HTTPS.

tomlowenthal picture tomlowenthal on 12 Dec 2018
👍52

I second @librarymd here and I'm excited that @tomlowenthal thinks this is a good idea!

Combined with #148 / #1121, this would be a huge on-ramp for mainstream users onto a more network privacy preserving Web.

It would also be a great incentive for publishers to have onion addresses, since it suddenly opens them to a much wider audience and makes the investment more worthwhile.

Is there a timeline for this landing?

P.S.: We can even dream that at some point the UX can follow the transition from HTTP to HTTPS where the encrypted version was at first a "bonus security enhancement" that had flashy positive signage, and later became the default, with _negative_ signage for when it's lacking (unencrypted HTTP).

So first a flashy green onion saying "this website is amazing" and later "you're trying to visit a non-onion website, which is terrible for privacy, are you sure?" But first things first.

agentofuser picture agentofuser on 10 Mar 2019
👍1

+1 from @Merith-TK via https://github.com/brave/brave-browser/issues/7078

Description

So the idea kinda follows along the lines of this
when you click on a tornet link, (.onion), or enter a .onion address in your browser, have a small popup that asks if you want to actually go to this adress, and if the user clicks "Yes" open a tortab with that URL

Or maybe set a default page or persistance book marks

bsclifton picture bsclifton on 25 Nov 2019

Designs added!

karenkliu picture karenkliu on 29 Sep 2020

Verification in progress with

Brave   1.17.65 Chromium: 87.0.4280.49 (Official Build) unknown (x86_64)
Revision    f77f85899646b42a1d3c8ff36794e00becab9171-refs/branch-heads/4280@{#1115}
OS  macOS Version 10.14.6 (Build 18G6032)

Verified test plan from https://github.com/brave/brave-core/pull/6762

Logged the following issues:

  • https://github.com/brave/brave-browser/issues/12610

Encountered the following issues:

  • https://github.com/brave/brave-browser/issues/4299 / https://github.com/brave/brave-browser/issues/11611

onion-location header:


Non Tor window

Checked for Normal, Private, Guest windows:

Tor SS 1
Tor SS 3
Tor SS4


Tor window

Checked for Tor window:

Tor SS 2


Tor disabled

Checked for Normal, Private, Guest windows:

Tor SS 5
Tor SS 6
Tor SS 7

Brave   1.17.67 Chromium: 87.0.4280.49 (Official Build) unknown (x86_64)
Revision    f77f85899646b42a1d3c8ff36794e00becab9171-refs/branch-heads/4280@{#1115}
OS  macOS Version 10.14.6 (Build 18G6032)

onion-location header:


Automatically redirect .onion site - Non Tor window

Default value of Automatically redirect .onion sites is off:

Onion1

Enabled this setting and checked test plan from PR for Normal, Private, Guest windows. Confirmed when tab containing brave.com was not the only tab in the window, it was closed

Tab w/ brave.com was not the only tab in the window, so the tab was closed:

Normal1

Tab w/ brave.com was the only tab in the window, so the tab was not closed:

Normal2

Tab w/ brave.com was not the only tab in the window, so the tab was closed:

Private1

Tab w/ brave.com was the only tab in the window, so the tab was not closed:

Private2

Does not work for Guest window. Logged https://github.com/brave/brave-browser/issues/12644.

Guest


Automatically redirect .onion site - Tor window

Tab w/ brave.com was not the only tab in the window, so the tab was closed:

Tor1

Tab w/ brave.com was the only tab in the window, so the tab was not closed:

Tor2

.onion domain:
*note - does not require "Automatically redirect .onion sites" to be toggled ON


Non Tor window

Verified for Normal, Private, Guest windows:

Normal
Private
Guest


Tor window

Tor


Tor is disabled

N1
P1
G1

Verification passed on

Brave | 1.17.68 Chromium: 87.0.4280.49聽(Oficjalna wersja)聽(64-bitowa)
-- | --
Wersja | f77f85899646b42a1d3c8ff36794e00becab9171-refs/branch-heads/4280@{#1115}
System operacyjny | Windows聽7 Service Pack 1 (Build 7601.24544)

Verified test plan from https://github.com/brave/brave-core/pull/6762

onion-location header:


Non Tor window

Checked for Normal, Private, Guest windows:

image
image
image
image


Tor window

Checked for Tor window:

image


Tor disabled

Checked for Normal, Private, Guest windows:

image
image
image

LaurenWags picture LaurenWags on 10 Nov 2020

address with .onion available

Why is this icon needed when the user is _not_ in a Tor window and _not_ typing .onion, just browsing a site that has one? I imagine a lot of Facebook and DuckDuckGo users getting accidentally redirected to Tor window and not knowing why it was suggested...

Madis0 picture Madis0 on 11 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

GeetaSarvadnya picture GeetaSarvadnya  路  3Comments
kerry-perret picture kerry-perret  路  3Comments
bsclifton picture bsclifton  路  3Comments
kjozwiak picture kjozwiak  路  3Comments
simonhong picture simonhong  路  3Comments