[tbb-bugs] #25658 [Applications/Tor Browser]: Activity 2.1: Improve user understanding and user control by clarifying Tor Browser's security features

[Tor Bug Tracker & Wiki]

#25658: Activity 2.1: Improve user understanding and user control by clarifying Tor
Browser's security features
-------------------------------------------+---------------------------
 Reporter:  isabela                        |          Owner:  antonela
     Type:  project                        |         Status:  assigned
 Priority:  High                           |      Milestone:
Component:  Applications/Tor Browser       |        Version:
 Severity:  Normal                         |     Resolution:
 Keywords:  ux-team, TorBrowserTeam201804  |  Actual Points:
Parent ID:                                 |         Points:
 Reviewer:                                 |        Sponsor:  Sponsor17
-------------------------------------------+---------------------------

Comment (by tom):

 Yea. Talking about the slider settings gets confusing because different
 words mean different things to different people, and there are a lot of
 things I think we're trying to roll up into a single slider.

 Privacy: We've previously, and I agree, that we should not encourage or
 support the slider being interpreted as improving privacy. A user's
 privacy should be respected whether it's at Low or High; and by that I
 mean Fingerprinting Protection, FPI, and Circuit Isolation should always
 be in effect.  If for whatever reason we want to loosen privacy
 restrictions to support web functionality - we should probably pursue
 well-working, useful, and informative permission choices. Like Canvas and
 Audio/Video.

 Security from Exit Nodes: I imagine this as 'None', 'Medium', and 'High'.
 'Medium' blocks all Javascript, audio, video, svg, web fonts, and maybe a
 few other things from HTTP. High blocks all HTTP.  I think we admit this
 is a goal of the slider by having the 'Block JS from HTTP' feature. I
 don't think there is any other reason to have this feature except to
 protect from malicious exit nodes.  I would be curious to see how much of
 the web breaks if we broke this out, and defaulted to Medium.

 Security from the Web Site itself: This encompasses most of the rest of
 the slider features. Blocking JS from HTTPS sites. JS Engine optimizations
 are disabled. MathML disabled. SVG disabled, audio/video formats are
 disabled. This is generally what we think of as the goal of the slider, I
 think.

 Given this, I think two settings for the slider can make sense. "Do I
 trust this website or not?" The pain point is that the usability of
 disabling javascript is often so harsh that it makes it untenable... I
 wonder if there's anything that can be done to split that atom....

 ----


 I think one of the pain points we have with Tor Browser is the lack of
 persistent storage. We are so deathly scared of storing anything to disk
 that we can't save user's per-site exceptions to things. Perhaps we should
 reconsider this (opt-in of course.) I'd be curious to brainstorm if we
 could divine a storage mechanism we actually felt some measure of
 confident in. For example: What if we used something like Argon2 combined
 with a TPM-backed value? This is bypassable, but it requires on-machine
 brute forcing. If we developed something akin to 'Firefox Accounts', we
 could enable users the ability to store data on a Hidden Service and
 revoke authorization to it. These ideas are very 'out there'.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25658#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online