Watchtower and .onion domains

WhyNotHugo · May 2020

The watchtower "Unsecured websites" tab lists a lot of credentials on .onion domains.
Since these are actually accessed via tor, the fact that the URL is http (rather than https) doesn't imply they're unsafe.

I think any passwords for http://*.onion should never be considered unsafe.

Also, things like 127.0.0.1 and localhost should never be considered unsafe due to the lack of https either.

(Note: 1Password X redirects to the website for watchtower, but there's not "website" subforum, so I guess this is the right place to report this...?).

1Password Version: Not Provided
Extension Version: 1.19.0
OS Version: ArchLinux
Sync Type: 1Password

kaitlyn · May 2020

Thanks for reaching out and for sharing your thoughts with me, @WhyNotHugo! I'm honestly not sure we'd ever make exceptions to http URLs being flagged as Unsecured Websites in Watchtower, but I went ahead and passed your feedback along to the rest of my team. This is the first time I've heard of this being requested, but I do understand where you're coming from. We'll continue to keep track of it on our end.

ref: dev/projects/customer-feature-requests#170

WhyNotHugo · May 2020

Just to add a bit of clarity; they're technically not insecure. Traffic to localhost and alike stays withing the local computer and never travels through the network, so there's no change of it being intercepted.

Traffic to .onion travels through tor, which, arguable, is better hardened than https. It can't be intercepted, and, more importantly, there's no real support for https for these domains, since it kinda doesn't make sense.

I'm not saying "please add these exceptions", I'm saying "these are not unsecured websites". Showing this in the list is just wrong information. I'd call this more a bugfix request than an enhancement request.

Ben · May 2020

We're on the same page, @WhyNotHugo. :) Thanks.

Ben

Watchtower and .onion domains

Comments