On Wed, Feb 7, 2018 at 4:18 AM, Georg Koppen gk@torproject.org wrote:
While preparing the proposal I tried to read up on all the older discussions we had about how to improve the design of our security controls. In particular, in your last comment on #21034 you seemed to be thinking that we could largely avoid doing what you are suggesting above by addressing the tickets you mentioned there (and probably more). That's actually part of the proposal as written (see section 3.3). So, I am a bit curious whether you changed your mind and if so to hear about new arguments.
My original thinking for #21034 was to try to address two problems: (1) The set of options exposed by NoScript is complex. (2) Users may be trying to use the (global) security slider for individual sites. I have. :( As I sort of mentioned in that comment in #21034, I think #22981 (enabling video/audio on HTTPS sites for Medium security) will be particularly helpful for these two problems by making it rarely necessary for users at Medium Security to make adjustments via NoScript or the security slider. But, on the other hand, if we decide against #22981, then I think #21034 remains important.
Also, since I wrote that comment, I have realized there is a another problem: (3) NoScript does not respect FPI. so I do lean more toward some kind of solution for #22981 again.
Each of (1), (2), and (3) have different possible solutions. For me, a per-site security toggle seems to be the cleanest solution to all three issues. But of course there are many possible alternatives that would solve these issues to varying degrees.
[snip] After all you allowed it in the first place in any context and hence in this particular site context as well.
Can you explain what you mean by this? I'm not sure I understand it.
[snip] As indicated above that does not help with an easy answer to the important question about which security state I am actually in.
I agree it would be good to display an indicator about what global security state you're in.
[snip] So, my suggestion would be to expose a single toggle option: namely, [all-features-disabled | all-features-enabled].
Hm. I am not sure yet. I am not convinced we need to expose users to the dangers of WebGL, SVG etc. just because they need scripts enabled on a website.
Suppose you think there is a 10% chance that website X.com will be serving an exploit. Do you enable scripts, but not WebGL? I feel this question is too large a burden on users. It requires them to understand what scripts and WebGL are! :) And it presumes some level of risk analysis that is basically impossible (what's more dangerous, scripts, or WebGL?). So I think we should provide some sort of simplified set of options that guide users to reasonable decisions.
Maybe we could make progress by considering a set of thought-experiment user stories (or even, user studies) visiting particular websites and describing what the decision making process should be. For example, if I visit YouTube (which has scripts, video and audio) under High Security or under Medium Security, what should my decision making process be? How many decisions/clicks should be required to get the website working, and at what stage do I decide to give up for security reasons? What security/privacy mistakes could I make and how can Tor Browser prevent those mistakes? Other important sites might be online games, social media, Google documents, etc.
Arthur