Tor nextgen v3 is stronger encryption than TLS v1.2 and Firefox refuses to allow a http login with Tor v3 connection to a hidden service telling users insecure
After 30 days of testing my Nextcloud server on Port 80 using a mix of peers using version 3 nextgen tor in Nextcloud as a Tor hidden service .onion site concurrently with peers using regular http www domain.name, I added a signed, verified SSL certificate to open the site to the greater public with its https domain.name however now Firefox and all other browsers I have tried all reject attempts to connect via tor to my Nextcloud site via its .onion address login citing its http is insecure.
Tor v3 nextgen uses elliptic curve enhanced end-end encryption which will be found in TLS v1.3 when that becomes available but it is stronger than the strongest existing TLS v1.2 encryption suites yet Firefox is falsely telling users caught up in this situation the connection is insecure and refuses to allow a tor http login.
I understand browsers throwing up a clearnet http non-local insecure login warning or even blockage but default blocking such locally and also via tor is absurd and telling users their http connection via a tor hidden service whose encryption is certainly stronger than TLS v1.2 that it's 'insecure' is flat wrong and could be seen as a deliberate lie as well.
All Replies (14)
Why would a Firefox user be trying to connect to a onion router ?
Tor is built on the Firefox Extended Release Version source code.
https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean
There is security software like Avast / AVG, Kaspersky, BitDefender and ESET that intercept secure connections and send their own certificate.
This causes issues almost monthly from one of them, a few just released new major updates. Send them to the Community Forum of the above programs to see if there are work arounds or if others have issue.
- https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can
- https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites
- https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message
- https://support.mozilla.org/en-US/kb/connection-untrusted-error-message
- http://kb.mozillazine.org/Error_loading_websites
Please let us know if this solved your issue or if need further assistance.
Hi ASmith-, I honestly do not know the difference between connecting to a server directly and via onion routing, other than how it affects your IP address. Are the intermediate nodes proxying the connection?
Regarding the way Firefox's error page is worded, unfortunately, Firefox does not always explain clearly in the initial text why a secure connection could not be formed. It's a guess based on common scenarios. If you click the "Advanced" button there should be more precise information.
Since error page text is translated into numerous languages, changes are not made lightly and take time.
As for what you can do for compatibility, if you have a list of protocols and ciphers allowed on your server, you can check for overlap with your browsers using the list generated on this page:
https://www.ssllabs.com/ssltest/viewMyClient.html
You may need to support fallback protocols/ciphers.
Firefox as of 60.0 Release and 60.0 ESR supports TLS 1.3 by default now.
jscher2000 said
Hi ASmith-, I honestly do not know the difference between connecting to a server directly and via onion routing, other than how it affects your IP address. Are the intermediate nodes proxying the connection? Regarding the way Firefox's error page is worded, unfortunately, Firefox does not always explain clearly in the initial text why a secure connection could not be formed. It's a guess based on common scenarios. If you click the "Advanced" button there should be more precise information. Since error page text is translated into numerous languages, changes are not made lightly and take time.
As for what you can do for compatibility, if you have a list of protocols and ciphers allowed on your server, you can check for overlap with your browsers using the list generated on this page:
https://www.ssllabs.com/ssltest/viewMyClient.html
You may need to support fallback protocols/ciphers.
Hi jscher2000, The major difference between regular 'clearnet' connections and via the tor network is the use of the tor onion router. There's common, everyday detections used and available that discerns yes that is a tor routed connection and no that is not. A http tor routed connection is Secure on a login page. A http public clearnet connecto is insecure on a login page. For 5 years I told, the LinuxMint developers their http login page was really insecure, they appear to have waited until bandits poached multiple administrative login passwords then struck a blow by using them.
Its sad and dishonest to tell a Firefox Browser user a tor routed http login page connection is 'insecure'. That's a lie, that is not a honest assessment and it should be changed to stating nothing because that connection is heavily encrypted and secure.
Pkshadow said
Why would a Firefox user be trying to connect to a onion router ? Tor is built on the Firefox Extended Release Version source code. https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean There is security software like Avast / AVG, Kaspersky, BitDefender and ESET that intercept secure connections and send their own certificate. This causes issues almost monthly from one of them, a few just released new major updates. Send them to the Community Forum of the above programs to see if there are work arounds or if others have issue.Please let us know if this solved your issue or if need further assistance.
- https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can
- https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites
- https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message
- https://support.mozilla.org/en-US/kb/connection-untrusted-error-message
- http://kb.mozillazine.org/Error_loading_websites
Quite a number use the regular Firefox Browser proxied via the tor network and also additionally through the i2p network. In this policestate era, why are you even asking why anyone would use the regular Firefox Browser proxyed via tor and not even mention the Tor Browser 'Firefox Browser' at that same time in such a post?
James said
Firefox as of 60.0 Release and 60.0 ESR supports TLS 1.3 by default now.
How in the moons of moondor does that possibly answer the question of why the Firefox Browser is dishonestly telling a tor routed user of the Firefox Browser a tor routed http login page is insecure? That is dishonest and a LIE. The elliptic curves encryption suite connection used by v3 Tor is as strong as TLS v1.3 the strongest clearnet https encryption suite that will soon be available and Tor v3 has had that running for 6 months.
In essence you are stating Firefox has caught up with the encryption strength standard Tor has had in placed and used for the past 6 months and ignoring the present Firefox browser is telling all tor users a http login page made via the tor routed onion network is 'insecure'. That is not only telling Firefox users a Lie but its turning people away from a secure location and a secure connection by falsely proclaiming that site and login is 'insecure'.
HTTP or HTTPS??
I don't understand how an HTTP connection to domain.name can be considered secure. For Firefox, "secure" means the browser and server formed an encrypted connection, end-to-end, opaque to all intermediaries. If you are not using HTTPS in Firefox, then isn't your login being forwarded in the clear at some stage?
If the problem is an error page with an HTTPS address, please see my previous comment. We don't have enough information about your particular error scenario to know what's going on there (click "Advanced" and let us know what that section says).
jscher2000 said
HTTP or HTTPS?? I don't understand how an HTTP connection to domain.name can be considered secure. For Firefox, "secure" means the browser and server formed an encrypted connection, end-to-end, opaque to all intermediaries. If you are not using HTTPS in Firefox, then isn't your login being forwarded in the clear at some stage? If the problem is an error page with an HTTPS address, please see my previous comment. We don't have enough information about your particular error scenario to know what's going on there (click "Advanced" and let us know what that section says).
No, a tor routed Firefox browser to a tor hidden service domain.onion url is end to end heavily encrypted, even stronger then TLS v1.2 https connections with PFS and the strongest cipher suite you can use for a public distant peer or public website.
It sounds like you are seeing the lower layer clearnet as being the only online connection game out there however the Firefox browsers proxy ability changes all of that. A tor hidden service doesn't exit out of the tor network making it a end-end encrypted connection in a upper network layer protected on each end by elliptic curve keys. Instead of the Firefox browser being a teaching tool, its openly providing misinformation, a lie that a http connection to a tor hidden service login is insecure and that is not serving the Firefox project nor the Tor Project with professional honesty and integrity which both deserve.
If you would like to continue condemning Firefox Volunteer Support, feel free to do so.
Pkshadow said
If you would like to continue condemning Firefox Volunteer Support, feel free to do so.
If you wish to relay and echo that telling Firefox browser users running a tor proxy to a http tor hidden service login page as refused due to a 'insecure connection' is not remotely accurate and not remotely true. That would be helpful, if that is your aim and goal.
From reading the replys, the Firefox http tor login page Firefox warning and refusal now to accept because its 'Insecure connection' is entirely misinformation and teaches a lie which is neither professional nor in keeping with the Mozilla developers foundational values. The Mozilla developers have every right to block all tor hidden services if that is their choice, however lying about a tor routed end-end encrypted connection protected on both ends by elliptic curves as refusing this connection because of a http 'Insecure connection' is spreading misinformation about security and technology which is entirely out of touch with the Firefox browsers goals.
Hi, so are we going to get to some constructive ideas on how to fix the issue as it pertains to the setup/s you have described.
As mentioned Volunteers, who can not make changes to Firefox, influence policy, design, implementation or anything else that you would like done.
You can go to the 3Bar Menu --> Help --> Submit Feedback this will be reviewed by a team of Mozilla employees that can make changes. Or here but is the same place : https://qsurvey.mozilla.com/s3/FirefoxInput/
Or Contribute like build the Firefox you would want : https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Introduction Hang out on irc.mozilla.org in #developers and watch for interesting conversations. Introduce yourself in #introduction and ask questions. Go to http://bugzilla.mozilla.org and start searching for open bugs in components that relate to your issue. Use tools like http://mxr.mozilla.org/ and http://dxr.mozilla.org to help you locate the relevant code, and ask questions in #developers. Follow Mozilla development blogs, http://hacks.mozilla.org
In other words find what your looking to do through other channels and communication.
This here unfortunately stays here and probably not seen by anyone that can make changes.
So with that all we can do to help you is to trouble shoot and use known fixes for issues.
G'luck with your server.
Hi ASmith-, what's the exact error message you get on the HTTP page? Is it something different from what you see on the password field here:
http://www.jeffersonscher.com/res/logintest.html
Please copy/paste the details if it's a full-page error message.
Also, can you share the address of the page, or a sample page demonstrating the same problem?
Gewysig op
jscher2000 said
Hi ASmith-, what's the exact error message you get on the HTTP page? Is it something different from what you see on the password field here: http://www.jeffersonscher.com/res/logintest.html Please copy/paste the details if it's a full-page error message. Also, can you share the address of the page, or a sample page demonstrating the same problem?
Once the Firefox Browser gets a plaintext signed, verified SSL certificate lodged under the hood in the Firefox Browser it throws up all manner of user roadblocks using a 'Secure' http .onion domain to access that same website thereafter.
Since virtually all websites operating in the 'Clear-Net' now are being deliberately pushed to port 443 SSL Accepted, Verified and Signed SSL Certificates that deliberately slams the door on all secure http Port 80 usage.
Folks here can't even understand how http secure port 80 usage can even exist. That comes directly from the Firefox browser repeatedly telling them a inaccurate finding. You can politically correctly call it a 'False Positive' but I call it dishonest and a lie and have repeatedly pointed out a Firefox Socks5 proxy connection via the onion router to a .domain.onion Tor Hidden Service website is strongly secure on a Http port 80 connection.
ASmith- said
Once the Firefox Browser gets a plaintext signed, verified SSL certificate lodged under the hood in the Firefox Browser it throws up all manner of user roadblocks using a 'Secure' http .onion domain to access that same website thereafter.
What is the roadblock, exactly? Is it a problem with HTTP Strict Transport Security (HSTS)? I'm pretty sure that would be down to your server's configuration. If you want users to be able to use HTTP and HTTPS interchangeably rather than being forced to use HTTPS, then turn off HSTS.
Folks here can't even understand how http secure port 80 usage can even exist. That comes directly from the Firefox browser repeatedly telling them a inaccurate finding. You can politically correctly call it a 'False Positive' but I call it dishonest and a lie and have repeatedly pointed out a Firefox Socks5 proxy connection via the onion router to a .domain.onion Tor Hidden Service website is strongly secure on a Http port 80 connection.
I see you want to change the definition browser makers use for "secure connection" from end-to-end SSL to something else. That's definitely beyond the scope of support. Maybe you should try convincing Tor to advocate your position; they work closely with Mozilla.