Crowdsourcing some guidelines for what it means to make a web site "Tor-friendly"
Hello friends, I hope 2018 is off to a good start wherever this finds you. So for those who aren't aware, my NGO, Aspiration, advises other NGOs and activists on technology as part of our core mission. And a common piece of advice we proffer is "make sure your web site works well with Tor Browser", i.e., doesn't use Flash or overly depend on Javascript. The more I have given that advice, the more I have wondered if it was documented anywhere what it actually takes to be a "Tor-friendly" site. Big thanks to GeKo, who first confirmed for me that no such documentation seems to exist. And then for helping me to bootstrap this page: https://pad.riseup.net/p/torfriendlysite I'm writing to ask folks on this list to both add any thoughts you have on the matter, and to correct or comment on anything that's already there and doesn't seem quite right. Any contributions, both to the pad or emailed to me directly, are most appreciated. This is especially true if you know of relevant documentation anywhere else that I should be looking at. Once folks have weighed in, I will figure out where to post this on the Tor wiki and elsewhere in order to make it more broadly and reliably available. And if for any reason you think this is an ill-informed endeavor, I welcome that feedback as well :^) thanks & peace, gunner -- Allen Gunn Executive Director, Aspiration +1.415.216.7252 www.aspirationtech.org Aspiration: "Better Tools for a Better World" Read our Manifesto: http://aspirationtech.org/publications/manifesto Twitter: www.twitter.com/aspirationtech
Allen Gunn:
Hello friends,
I hope 2018 is off to a good start wherever this finds you.
So for those who aren't aware, my NGO, Aspiration, advises other NGOs and activists on technology as part of our core mission.
And a common piece of advice we proffer is "make sure your web site works well with Tor Browser", i.e., doesn't use Flash or overly depend on Javascript.
For *years* I've had a custom "badge" of sorts on queair.net indicating the site is "Tor friendly." It seems a worthwhile low-level campaign to wage that might not be relevant today, but can be tomorrow. A well-signed but small log (maybe like the 'valid css' one?) could be useful. Or even a "Tor-friendly check" www-based tool might be an interesting direction. It could check Flash easily enough, and maybe diff the site over plain old HTTP versus over torsocks.
The more I have given that advice, the more I have wondered if it was documented anywhere what it actually takes to be a "Tor-friendly" site.
Yes. Simple enough with old-school HTML and perl-based mailforms. Not so much with more complex contemporary sites.
Big thanks to GeKo, who first confirmed for me that no such documentation seems to exist. And then for helping me to bootstrap this page:
While not prolific, it's a solid start.
I'm writing to ask folks on this list to both add any thoughts you have on the matter, and to correct or comment on anything that's already there and doesn't seem quite right.
Any contributions, both to the pad or emailed to me directly, are most appreciated.
This is especially true if you know of relevant documentation anywhere else that I should be looking at.
Once folks have weighed in, I will figure out where to post this on the Tor wiki and elsewhere in order to make it more broadly and reliably available.
And if for any reason you think this is an ill-informed endeavor, I welcome that feedback as well :^)
All of the guidelines might be useful for sites not yet online, but for sites already up and functional, migrating to "Tor friendly" is going to be the challenge. I also think it might be useful to give a brief "tagline" to the idea of a Tor friendly www site, such as "allowing anonymity by design, not by privacy policies" since I think it could be counterposed to long and legelese-written privacy policies. From one angle, it's about enabling anonymity by the user, and not necessarily doing anything in particular for them. g -- 34A6 0A1F F8EF B465 866F F0C5 5D92 1FD1 ECF6 1682
Howdy, On 01/02/2018 06:01 AM, George wrote:
Allen Gunn:
Hello friends,
I hope 2018 is off to a good start wherever this finds you.
So for those who aren't aware, my NGO, Aspiration, advises other NGOs and activists on technology as part of our core mission.
And a common piece of advice we proffer is "make sure your web site works well with Tor Browser", i.e., doesn't use Flash or overly depend on Javascript.
For *years* I've had a custom "badge" of sorts on queair.net indicating the site is "Tor friendly." It seems a worthwhile low-level campaign to wage that might not be relevant today, but can be tomorrow.
A well-signed but small log (maybe like the 'valid css' one?) could be useful.
Or even a "Tor-friendly check" www-based tool might be an interesting direction. It could check Flash easily enough, and maybe diff the site over plain old HTTP versus over torsocks.
These are all great thoughts, thanks.
The more I have given that advice, the more I have wondered if it was documented anywhere what it actually takes to be a "Tor-friendly" site.
Yes. Simple enough with old-school HTML and perl-based mailforms. Not so much with more complex contemporary sites.
Big thanks to GeKo, who first confirmed for me that no such documentation seems to exist. And then for helping me to bootstrap this page:
While not prolific, it's a solid start.
Thanks :^)
I'm writing to ask folks on this list to both add any thoughts you have on the matter, and to correct or comment on anything that's already there and doesn't seem quite right.
Any contributions, both to the pad or emailed to me directly, are most appreciated.
This is especially true if you know of relevant documentation anywhere else that I should be looking at.
Once folks have weighed in, I will figure out where to post this on the Tor wiki and elsewhere in order to make it more broadly and reliably available.
And if for any reason you think this is an ill-informed endeavor, I welcome that feedback as well :^)
All of the guidelines might be useful for sites not yet online, but for sites already up and functional, migrating to "Tor friendly" is going to be the challenge.
Agreed. But even getting more sites coming online to test against TB will hopefully improve things over time.
I also think it might be useful to give a brief "tagline" to the idea of a Tor friendly www site, such as "allowing anonymity by design, not by privacy policies" since I think it could be counterposed to long and legelese-written privacy policies. From one angle, it's about enabling anonymity by the user, and not necessarily doing anything in particular for them.
Yep, that makes total sense. Thanks! gunner
g
_______________________________________________ tor-project mailing list tor-project@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project
-- Allen Gunn Executive Director, Aspiration +1.415.216.7252 www.aspirationtech.org Aspiration: "Better Tools for a Better World" Read our Manifesto: http://aspirationtech.org/publications/manifesto Twitter: www.twitter.com/aspirationtech
Hi Gunner! Happy 20018! On 1/1/18 7:11 PM, Allen Gunn wrote:
Big thanks to GeKo, who first confirmed for me that no such documentation seems to exist. And then for helping me to bootstrap this page:
https://pad.riseup.net/p/torfriendlysite
I'm writing to ask folks on this list to both add any thoughts you have on the matter, and to correct or comment on anything that's already there and doesn't seem quite right.
Any contributions, both to the pad or emailed to me directly, are most appreciated. This is great stuff, I added a small comment there too. As we are redesigning the website and creating new portals the UX team is following this philosophy as well, it must work on TB high level security level first, that is our focus. But we haven't put anything on paper like you did and that is great.
This is not necessary related to building a site that works on Tor, but more related to building a site related to the Tor Project somehow and that you would like to follow our guidelines, that Antonela and Hiro has been working on: https://styleguide.torproject.org/ Which is a fork of some of bootstrap components with the CSS changed to follow our guidelines (colors and fonts for instance). Looking at your pad makes me think that we should add some stuff related to not only make it looks like is part of the Tor 'brand' but also make it work at Tor Browser high security level. thans for sharing, isabela
Hello again, On 01/02/2018 07:12 AM, isabela wrote:
Hi Gunner!
Happy 20018!
Same to you!
On 1/1/18 7:11 PM, Allen Gunn wrote:
Big thanks to GeKo, who first confirmed for me that no such documentation seems to exist. And then for helping me to bootstrap this page:
https://pad.riseup.net/p/torfriendlysite
I'm writing to ask folks on this list to both add any thoughts you have on the matter, and to correct or comment on anything that's already there and doesn't seem quite right.
Any contributions, both to the pad or emailed to me directly, are most appreciated. This is great stuff, I added a small comment there too.
Thanks!
As we are redesigning the website and creating new portals the UX team is following this philosophy as well, it must work on TB high level security level first, that is our focus. But we haven't put anything on paper like you did and that is great.
Glad to know we are working on parallel paths.
This is not necessary related to building a site that works on Tor, but more related to building a site related to the Tor Project somehow and that you would like to follow our guidelines, that Antonela and Hiro has been working on:
Thanks. Did you make any design decisions on putting up that site that are relevant for the guidelines?
Which is a fork of some of bootstrap components with the CSS changed to follow our guidelines (colors and fonts for instance).> Looking at your pad makes me think that we should add some stuff related to not only make it looks like is part of the Tor 'brand' but also make it work at Tor Browser high security level.
That makes sense. To build on George's earlier point, I wonder if there is benefit in an actual set of testing steps to be articulated for a site to confirm tor-friendly status...would be harder to test any server-side aspects. peace, gunner
thans for sharing, isabela _______________________________________________ tor-project mailing list tor-project@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project
-- Allen Gunn Executive Director, Aspiration +1.415.216.7252 www.aspirationtech.org Aspiration: "Better Tools for a Better World" Read our Manifesto: http://aspirationtech.org/publications/manifesto Twitter: www.twitter.com/aspirationtech
Allen Gunn wrote:
Hello friends,
I hope 2018 is off to a good start wherever this finds you.
So for those who aren't aware, my NGO, Aspiration, advises other NGOs and activists on technology as part of our core mission.
And a common piece of advice we proffer is "make sure your web site works well with Tor Browser", i.e., doesn't use Flash or overly depend on Javascript.
The more I have given that advice, the more I have wondered if it was documented anywhere what it actually takes to be a "Tor-friendly" site.
Big thanks to GeKo, who first confirmed for me that no such documentation seems to exist. And then for helping me to bootstrap this page:
https://pad.riseup.net/p/torfriendlysite
I'm writing to ask folks on this list to both add any thoughts you have on the matter, and to correct or comment on anything that's already there and doesn't seem quite right.
Any contributions, both to the pad or emailed to me directly, are most appreciated.
This is especially true if you know of relevant documentation anywhere else that I should be looking at.
Once folks have weighed in, I will figure out where to post this on the Tor wiki and elsewhere in order to make it more broadly and reliably available.
And if for any reason you think this is an ill-informed endeavor, I welcome that feedback as well :^)
thanks & peace, gunner
[snip] Gunner, I'm going to stick my neck out here and say that this proposal sounds to me wrong headed. Tor Browser differs from mainstream browsers in that it does not support features and functionality that pose potential risks to user privacy, security and anonymity. It is designed to protect it's user from websites and web agents that are not Internet user friendly. Flagging website as "Tor Browser Friendly" might make Tor people feel good, but it distinguishes Tor Browser as one with special needs, one requiring specially designed web sites. The impression then is of Tor Browser being somehow broken rather than the web itself being broken. It seems to me that we must be very careful about the message a "Tor Browser Friendly" campaign might convey. The message we here are familiar with is that Tor and Tor Browser are as they are because they must be so to protect their users from a web that is "broken" with regard to security, privacy and anonymity. Perhaps your campaign ought to promote "Internet User Friendly" websites - websites that Tor Browser is perfectly capable of rendering. Rick
Hi Rick, Thanks very much for these comments, my responses inline below. On 01/02/2018 03:23 PM, Rick wrote:
Allen Gunn wrote:
Hello friends,
I hope 2018 is off to a good start wherever this finds you.
So for those who aren't aware, my NGO, Aspiration, advises other NGOs and activists on technology as part of our core mission.
And a common piece of advice we proffer is "make sure your web site works well with Tor Browser", i.e., doesn't use Flash or overly depend on Javascript.
The more I have given that advice, the more I have wondered if it was documented anywhere what it actually takes to be a "Tor-friendly" site.
Big thanks to GeKo, who first confirmed for me that no such documentation seems to exist. And then for helping me to bootstrap this page:
https://pad.riseup.net/p/torfriendlysite
I'm writing to ask folks on this list to both add any thoughts you have on the matter, and to correct or comment on anything that's already there and doesn't seem quite right.
Any contributions, both to the pad or emailed to me directly, are most appreciated.
This is especially true if you know of relevant documentation anywhere else that I should be looking at.
Once folks have weighed in, I will figure out where to post this on the Tor wiki and elsewhere in order to make it more broadly and reliably available.
And if for any reason you think this is an ill-informed endeavor, I welcome that feedback as well :^)
thanks & peace, gunner
[snip]
Gunner, I'm going to stick my neck out here and say that this proposal sounds to me wrong headed. Tor Browser differs from mainstream browsers in that it does not support features and functionality that pose potential risks to user privacy, security and anonymity. It is designed to protect it's user from websites and web agents that are not Internet user friendly.
Yes, I totally agree on those points.
Flagging website as "Tor Browser Friendly" might make Tor people feel good, but it distinguishes Tor Browser as one with special needs, one requiring specially designed web sites. The impression then is of Tor Browser being somehow broken rather than the web itself being broken.
I take your point, but the goal is not to "flag" web sites per se, it is primarily to inform those designing and deploying web sites in how to make design decisions that align with the Tor Browser's goals. Put differently, in spite of all the protections that Tor Browser strives to provide, it is still possible to undermine those protections, e.g. by using an inappropriate plugin that deanonymizes or by utilizing bandwidth-intensive code or content that magnify the speed deficits of the Tor network. I don't believe this implies Tor Browser is broken, but rather that site designers can work in concert with Tor to maximize user protections and Tor user experience in ways that Tor Browser can't do alone.
It seems to me that we must be very careful about the message a "Tor Browser Friendly" campaign might convey. The message we here are familiar with is that Tor and Tor Browser are as they are because they must be so to protect their users from a web that is "broken" with regard to security, privacy and anonymity.
I'm not planning any campaign :^) I think that is an idea that got surfaced earlier on this thread. I'm mainly hoping to generate a concrete checklist that supports activist organizations and associated web developers in making anonymity-friendly, Tor-friendly web sites. As I mentioned in my first post, this is something we advise on all the time, so I know it's a missing resource.
Perhaps your campaign ought to promote "Internet User Friendly" websites - websites that Tor Browser is perfectly capable of rendering.
Sorry for any misunderstanding, I appreciate your concerns. Please let me know if my points make sense and if I have addressed those concerns. peace, gunner
Rick _______________________________________________ tor-project mailing list tor-project@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project
-- Allen Gunn Executive Director, Aspiration +1.415.216.7252 www.aspirationtech.org Aspiration: "Better Tools for a Better World" Read our Manifesto: http://aspirationtech.org/publications/manifesto Twitter: www.twitter.com/aspirationtech
Allen Gunn:
Hello friends,
I hope 2018 is off to a good start wherever this finds you.
So for those who aren't aware, my NGO, Aspiration, advises other NGOs and activists on technology as part of our core mission.
And a common piece of advice we proffer is "make sure your web site works well with Tor Browser", i.e., doesn't use Flash or overly depend on Javascript.
The more I have given that advice, the more I have wondered if it was documented anywhere what it actually takes to be a "Tor-friendly" site.
Great initiative!
Big thanks to GeKo, who first confirmed for me that no such documentation seems to exist. And then for helping me to bootstrap this page:
I can only see a 'lol' on there now. See attachment. Has it been defaced? I wanted to check your guidelines for "don't overly depend on Javascript". Something that could be interesting would be to give more hints on which aspects of JavaScript will definitely not work and be blocked by Tor Browser and which other aspects work fine in Tor Browser. While still making it clear that people running Tor Browser are more likely to disable JavaScript all the way, so there should be a reasonable fallback for them.
Hello, On 01/12/2018 09:06 AM, sajolida wrote:
Allen Gunn:
Hello friends,
I hope 2018 is off to a good start wherever this finds you.
So for those who aren't aware, my NGO, Aspiration, advises other NGOs and activists on technology as part of our core mission.
And a common piece of advice we proffer is "make sure your web site works well with Tor Browser", i.e., doesn't use Flash or overly depend on Javascript.
The more I have given that advice, the more I have wondered if it was documented anywhere what it actually takes to be a "Tor-friendly" site.
Great initiative!
Thanks!
Big thanks to GeKo, who first confirmed for me that no such documentation seems to exist. And then for helping me to bootstrap this page:
I can only see a 'lol' on there now. See attachment.
Has it been defaced?
Yes indeed, thanks for flagging that. It is restored now using the history slider: https://pad.riseup.net/p/torfriendlysite Though all of the colors of different editors are gone.
I wanted to check your guidelines for "don't overly depend on Javascript".
Something that could be interesting would be to give more hints on which aspects of JavaScript will definitely not work and be blocked by Tor Browser and which other aspects work fine in Tor Browser.
While still making it clear that people running Tor Browser are more likely to disable JavaScript all the way, so there should be a reasonable fallback for them.
I welcome your comments on this matter, as well as feedback on what's already up there! thanks, gunner
_______________________________________________ tor-project mailing list tor-project@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project
-- Allen Gunn Executive Director, Aspiration +1.415.216.7252 www.aspirationtech.org Aspiration: "Better Tools for a Better World" Read our Manifesto: http://aspirationtech.org/publications/manifesto Twitter: www.twitter.com/aspirationtech
Allen Gunn:
On 01/12/2018 09:06 AM, sajolida wrote:
I wanted to check your guidelines for "don't overly depend on Javascript".
Something that could be interesting would be to give more hints on which aspects of JavaScript will definitely not work and be blocked by Tor Browser and which other aspects work fine in Tor Browser.
While still making it clear that people running Tor Browser are more likely to disable JavaScript all the way, so there should be a reasonable fallback for them.
I welcome your comments on this matter, as well as feedback on what's already up there!
You solved my concern by requiring to test the site in Tor Browser, using different security levels. I added some comments to improve a bit on that.
participants (5)
-
Allen Gunn -
George -
isabela -
Rick -
sajolida