(Sending this email again because I failed to copy tor-dev@.)
On Mon, Aug 17, 2020 at 12:16:08PM -0700, Philipp Winter wrote:
Hi Matt,
We recently started experimenting with the Salmon social bridge distributor: https://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/31873
We are now exploring the possibility of storing some Salmon-related data on a user's computer and are wondering what our options are. The data we're talking about is a lightweight, signed, and encrypted blurb that contains a user's social graph, proxies, and registration ID.
One option to store this data is Tor's data directory but that doesn't seem ideal because Salmon isn't a PT and technically has nothing to do with Tor. Is Tor Browser an option here? Or does the "disk avoidance" design goal mean that we don't get to store anything at all? A last resort option would be to simply hand the blurb to the user and ask them to store it somewhere but we would like to find a more usable way to handle this.
Thanks, Philipp
On Thu, Aug 20, 2020 at 11:30:09AM -0700, Philipp Winter wrote:
We recently started experimenting with the Salmon social bridge distributor: https://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/31873
We are now exploring the possibility of storing some Salmon-related data on a user's computer and are wondering what our options are. The data we're talking about is a lightweight, signed, and encrypted blurb that contains a user's social graph, proxies, and registration ID.
One option to store this data is Tor's data directory but that doesn't seem ideal because Salmon isn't a PT and technically has nothing to do with Tor. Is Tor Browser an option here? Or does the "disk avoidance" design goal mean that we don't get to store anything at all? A last resort option would be to simply hand the blurb to the user and ask them to store it somewhere but we would like to find a more usable way to handle this.
This is a really good question. Tor Browser's "Disk Avoidance" goal is "prevent all disk records of browser activity" [0]. However, this is only the default operating mode. A user should be given the option of recording certain browser activity on disk (such as saving bookmarks).
In the case of Salmon, writing a person's social graph and ID on disk (encrypted or plaintext) is a requirement of a user participating in the Salmon distributor, yes? While Salmon is not the only distributor, I think writing it within Tor Browser's directory is an appropriate place as long as the user is given sufficient information about the data contained in the file and they consent to storing it (participating).
Overall, putting the burden on the user for saving the file somewhere else seems really bad for usability (and, therefore, security and privacy). I can imagine saving the file externally being an option, but I don't think it should be the default.
Hopefully this helps, but please let me know if I can clarify anything more.
- Matt
[0] https://2019.www.torproject.org/projects/torbrowser/design/#disk-avoidance
-
Matthew Finkel -
Philipp Winter