[Pkg-privacy-maintainers] Bug#886286: torbrowser-launcher: Tor Browser says .onion sites (like http://sejnfjrq6szgca7v.onion/) are not secure

[Diederik de Haas]

Package: torbrowser-launcher
Version: 0.2.8-6
Severity: normal
Tags: upstream

If you go to http://sejnfjrq6szgca7v.onion/ (debian.org onion site) with
Tor Browser, obtained via torbrowser-launcher program, you don't see the 
green bar/lock like you see with https sites. If you click on the 'i' icon 
to get site information, it says 'Connection is Not Secure' and the 
'details' page says it's not private.

I'm guessing Tor Browser says so because Firefox sees an http, not
https, connection. But it's conclusion in the case of Tor Browser with
an .onion site seems incorrect to me.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (101, 'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.0-2-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages torbrowser-launcher depends on:
ii  ca-certificates   20170717
ii  gnupg             2.2.3-1
ii  libdbus-glib-1-2  0.108-3
ii  python            2.7.14-4
ii  python-gtk2       2.24.0-5.1+b1
ii  python-lzma       0.5.3-3
ii  python-parsley    1.2-1
ii  python-psutil     5.4.2-1
ii  python-twisted    17.9.0-1
ii  python-txsocksx   1.15.0.2-1

Versions of packages torbrowser-launcher recommends:
ii  tor  0.3.2.8-rc-1

Versions of packages torbrowser-launcher suggests:
ii  apparmor       2.11.1-4
ii  python-pygame  1.9.3+dfsg-2+b1

-- no debconf information