On 6 April 2017 at 07:53, Donncha O'Cearbhaill donncha@donncha.is wrote:
Tom Ritter:
It seems reasonable but my first question is the UI. Do you have a proposal? The password field UI works, in my opinion, because it shows up when the password field is focused on. Assuming one uses the mouse to click on it (and doesn't tab to it from the username) - they see it.
How would you communicate this for .onion links or bitcoin text? These fields are static text and would not be interacted with in the same way as a password field.
A link could indeed be clicked - so that's a hook for UX... A bitcoin address would probably be highlighted for copying so that's another hook... But what should it do?
Thank you all for the suggestions in this thread. I agree that we need to tie down a preliminary UI. I'm seeing two key hooks that we could use:
- Detecting navigation from an insecure page to an onion URL or
bitcoin:// address.
- Reading and alerting to Bitcoin or onion addresses in the clipboard
buffer.
I've been working on a proof-of-concept extension which implements both of these hooks.
The "clipboardRead" permission is needed to read the contents of the clipboard from a Firefox extension. This was implemented in Firefox 54 (2017-02-13) in Mozilla bug #1312260 [1]. Unfortunately it will be quite some time before Firefox 54 is included in an ESR release. The Mozilla patch for this permission is < 100 lines. Is this a feature that the TBB team might consider back-porting to Tor Browser?
I agree with David, this UI should be as intrusive as possible to prevent users from shooting themselves in the foot. IMO navigation to onion URLs from HTTP should be completely blocked. I also think that we should wipe the users clipboard buffer if we detect a valid Bitcoin address in it.
The UI could suggest that a user manually retypes the Bitcoin or onion address if they are certain that it is correct. I hope this type of intrusive warning will reduce risky behaviour and encourage any Tor related web services to move to TLS only.
[no hats]
Please no. Please give any sort of intrusive whatever I have to click through but do not make me manually retype a bitcoin or onion address. This is a usability nightmare, I would prefer you completely hide the value entirely, so the user thinks it's a problem with the website rather than hating Tor Browser.
Here's another idea besides click-through banners: using the extension, create some sort of scratchpad that auto-populates the bitcoin/onion address (and the user's Exit Node). Then reload the page in a new circuit. Detect or prompt the user to compare them. If they're the same, say "Phew, okay everything seems to be okay" and if they're not, say "Jinkies! Would you consider pasting this information in a bug report so we can investigate?"
Caveat: I don't know how common it is for HTTP websites with bitcoin addresses to auto-generate payment addresses for privacy.
-tom