Tom Ritter:
It seems reasonable but my first question is the UI. Do you have a proposal? The password field UI works, in my opinion, because it shows up when the password field is focused on. Assuming one uses the mouse to click on it (and doesn't tab to it from the username) - they see it.
How would you communicate this for .onion links or bitcoin text? These fields are static text and would not be interacted with in the same way as a password field.
A link could indeed be clicked - so that's a hook for UX... A bitcoin address would probably be highlighted for copying so that's another hook... But what should it do?
Thank you all for the suggestions in this thread. I agree that we need to tie down a preliminary UI. I'm seeing two key hooks that we could use:
* Detecting navigation from an insecure page to an onion URL or bitcoin:// address. * Reading and alerting to Bitcoin or onion addresses in the clipboard buffer.
I've been working on a proof-of-concept extension which implements both of these hooks.
The "clipboardRead" permission is needed to read the contents of the clipboard from a Firefox extension. This was implemented in Firefox 54 (2017-02-13) in Mozilla bug #1312260 [1]. Unfortunately it will be quite some time before Firefox 54 is included in an ESR release. The Mozilla patch for this permission is < 100 lines. Is this a feature that the TBB team might consider back-porting to Tor Browser?
I agree with David, this UI should be as intrusive as possible to prevent users from shooting themselves in the foot. IMO navigation to onion URLs from HTTP should be completely blocked. I also think that we should wipe the users clipboard buffer if we detect a valid Bitcoin address in it.
The UI could suggest that a user manually retypes the Bitcoin or onion address if they are certain that it is correct. I hope this type of intrusive warning will reduce risky behaviour and encourage any Tor related web services to move to TLS only.
I'll try to report back with a demo for testing next week. Please reply if you have any comments or suggestions.
Regards, Donncha