[tbb-bugs] #25658 [Applications/Tor Browser]: Activity 2.1: Improve user understanding and user control by clarifying Tor Browser's security features

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Oct 29 10:50:30 UTC 2018


#25658: Activity 2.1: Improve user understanding and user control by clarifying Tor
Browser's security features
-------------------------------------------+---------------------------
 Reporter:  isabela                        |          Owner:  antonela
     Type:  project                        |         Status:  assigned
 Priority:  High                           |      Milestone:
Component:  Applications/Tor Browser       |        Version:
 Severity:  Normal                         |     Resolution:
 Keywords:  ux-team, TorBrowserTeam201810  |  Actual Points:
Parent ID:                                 |         Points:
 Reviewer:                                 |        Sponsor:  Sponsor17
-------------------------------------------+---------------------------

Comment (by gk):

 Replying to [comment:35 antonela]:
 > Hi geko, thanks for the heads-up; already read the diff. Seems like you
 have a strong opinion for keeping the slider.
 >
 > Let's do it again:
 >
 > **2.1.1 Removing HTTPS Everywhere and NoScript from the Toolbar**
 >
 > OK
 >
 > **2.1.2 Showing Security Slider State**
 >
 > We tried this before and this is the latest prototype I have: ​
 >
 > https://marvelapp.com/383eaa9/screen/44007368
 >
 > Should we iterate over it again? Are we happy with the icon? Do we want
 a different icon?

 Works for me.

 > > To mitigate that problem we could at least warn users about the
 possible danger and provide the option to acquire a New Identity right
 after changing the security slider level.
 >
 > Suggest a New Identity after the global setting change, seems smart. We
 can do that right after the user change about:preferences#security. A
 message that says "You may need a New Identity to apply changes safely.
 Your tabs will reload, and some information could be missed" will help.

 Well, New Identity means that tabs won't reload: the browser will close
 and reopen as a blank slate. But, yes, we should provide that option with
 a similar wording.

 > > We'll add a security settings button to the toolbar which shows the
 current slider state but, once clicked on, opens an about:preferences
 panel in a new tab which contains the security slider.
 >
 > Something like this?

 Well, as I said I am not clinging to the slider element, if we think we
 can transport our ideas better with, say, bullets as outlined in your
 prototype that's fine with me. One thing we should think about, though, is
 the amount of space our redesign should occupy. It seems to me the
 (horizontal) slider has some benefits here but I am sure we could come up
 with a similar "small" proposal if bullets are used instead (e.g. by
 collapsing text of security levels not being used currently).

 > **2.1.3 Reorganizing the Toolbar**
 >
 > OK
 >
 > ** 2.2 Dealing with Per-Site Security Settings**
 >
 > > One way to do that would be to use the Permissions section which opens
 after clicking on the "i" icon in the URL bar.
 >
 > Ok. It should look similar to
 >

 Works for me. We could think about as well showing little icons directly
 in the URL bar but I am not sure how much energy and time we should spend
 on the per-site security settings anyway. My feeling is not so much,
 especially compared to making the overall experience better.

 >
 > > We should refrain from exposing icons for every single "active
 content" in the URL bar, though. Rather, besides the button for
 temporarily allowing JavaScript we would only add one additional, which is
 responsible for manipulating and showing the state of "active content"
 (like WebGL, SVG, fonts etc.).
 >
 > Where do you think it should have place? At the Control Center
 doorhanger?

 Yes, that would be one place. But as I said above, maybe URL bar icons
 would be smart as well? Or maybe we should not spend time optimizing for
 that corner case?

 Open things we still need to solve/discuss from comment:26:
 {{{
  We still need to work on informing users that NoScript and HTTSEverywhere
 icons are available to be placed at the Top Nav via Menu/Customize. We
 could include a step/card explaining it at the new onboarding.

 Also, current about:preferences at FF60 doesn't have a [SAVE] button to
 confirm the action. Do you think we need to add an intermediate step for
 users to verify their radio option pick? May we need it for anything else?
 }}}

 One final thought: What do we do in the new design once a user flips a
 preference that is governed by our security controls essentially kicking
 themselves off that security level to something custom? Right now our UI
 gives the hint with the option to restore the default state. It seems to
 me we should keep that in the new UI as well.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25658#comment:45>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list