[tbb-bugs] #25658 [Applications/Tor Browser]: Activity 2.1: Improve user understanding and user control by clarifying Tor Browser's security features
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Oct 29 07:18:56 UTC 2018
#25658: Activity 2.1: Improve user understanding and user control by clarifying Tor
Browser's security features
-------------------------------------------+---------------------------
Reporter: isabela | Owner: antonela
Type: project | Status: assigned
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ux-team, TorBrowserTeam201810 | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor: Sponsor17
-------------------------------------------+---------------------------
Comment (by gk):
Replying to [comment:43 arthuredelstein]:
> Replying to [comment:41 gk]:
> It seemed to me this was a good time to discuss the issue because the
user interface design is closely connected to the behavior of the global
and per-site safety levels. If we redesign the behavior of the security
levels after a UI redesign, then it will mean we have to redesign the UI
yet once more.
Well, maybe. I guess it depends on what new behavior we come up with. E.g.
if the medium settings just change their semantics and all things stay
equal then it's not that much of a change (maybe some labels would need to
get adjusted) as the medium level is just a small part of the slider. But,
yes, maybe there is more to change. Regardless, a bunch of things come to
mind here:
1) UI design like general design and development is an iterative process.
It's not finished. So, yes, we might need to redesign the UI again but
that's part of the process and not necessarily something which is a bad
thing per se.
2) I am not convinced the concept of a user trusting a site should play a
role in defining our security slider settings. First of all, how is a user
making an informed decision here and what does it mean at all "that a user
expects a website will not sending malicious code" to a normal user?
Secondly, we hardly want to redesign our slider every time our user live
through a big change in trustworthiness, say, because of recent events in
news. Rather, I think we as experts should take the burden off of users to
decide "Is foo.com trustworthy right now" providing security settings
based on hard data and a threat model. Thirdly, the recent security
release made by Firefox is still vivid in my mind. It fixed two RCEs in
JIT code. There would be no protections against those on the new "medium"
level for HTTPS users. I think that's the wrong trade-off given our list
of adversaries and their capabilities (e.g. compromising ad servers to
serve malware which happened in the past) and the high amount of
exploitability in that component and that not allowing JIT is to a very
large extent not something that comes with functionality loss. (There is
more to say to your proposal, of course. A good place for that would be on
our mailing list, once we discuss a concrete proposal for redesigning the
semantics of our slider settings, which brings me to my third point)
3) It's not clear to me that we actually need the compromise you are
envisioning in comment:37. Maybe we can fix up the vast majority of the
medium level shortcomings, as said in section 3.3 in the proposal we
discussed, and that would already be enough to make the medium level
usable? Maybe we could even set it as the default mode then given the Tor
Browser context? Or even just ship two possible settings which would
correspond to "safer" and "safest" as we have them today? So, it seems
smart to me to revisit the semantics of the slider once we solved the low-
hanging fruits.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25658#comment:44>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list