Watchtower and .onion domains
The watchtower "Unsecured websites" tab lists a lot of credentials on .onion domains.
Since these are actually accessed via tor, the fact that the URL is http (rather than https) doesn't imply they're unsafe.
I think any passwords for http://*.onion should never be considered unsafe.
Also, things like 127.0.0.1 and localhost should never be considered unsafe due to the lack of https either.
(Note: 1Password X redirects to the website for watchtower, but there's not "website" subforum, so I guess this is the right place to report this...?).
1Password Version: Not Provided
Extension Version: 1.19.0
OS Version: ArchLinux
Sync Type: 1Password
Comments
-
Thanks for reaching out and for sharing your thoughts with me, @WhyNotHugo! I'm honestly not sure we'd ever make exceptions to http URLs being flagged as
Unsecured Websitesin Watchtower, but I went ahead and passed your feedback along to the rest of my team. This is the first time I've heard of this being requested, but I do understand where you're coming from. We'll continue to keep track of it on our end.ref: dev/projects/customer-feature-requests#170
0 -
Just to add a bit of clarity; they're technically not insecure. Traffic to
localhostand alike stays withing the local computer and never travels through the network, so there's no change of it being intercepted.Traffic to
.oniontravels through tor, which, arguable, is better hardened thanhttps. It can't be intercepted, and, more importantly, there's no real support forhttpsfor these domains, since it kinda doesn't make sense.I'm not saying "please add these exceptions", I'm saying "these are not unsecured websites". Showing this in the list is just wrong information. I'd call this more a bugfix request than an enhancement request.
0 -
We're on the same page, @WhyNotHugo. :) Thanks.
Ben
0
