[tbb-bugs] #28259 [Applications/Tor Browser]: Is not saving history hurting Tor Browser retention rates?

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Feb 14 17:55:25 UTC 2019

#28259: Is not saving history hurting Tor Browser retention rates?
 Reporter:  arthuredelstein                      |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  gallagher2018, ux-team, tbb-         |  Actual Points:
  usability                                      |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:

Comment (by kevun):

 Hello! Author of the paper in question, here.

 Addressing the comments of gk and pospeselr, I think if saving history and
 offering a password manager were available in the Tor Browser, it should
 definitely be dependent on the threat model of the user. I think there are
 many threat models in which considering a local adversary makes perfect
 sense, and that the encryption of the information such as history and
 passwords is not always enough to protect people with a local adversary in
 certain regimes, such as the UK and others, where mandatory key disclosure
 is a tool that law enforcement could use to destroy anonymity, or hold
 people who have encrypted histories in prison indefinitely. However, in
 other regimes that do not have mandatory key disclosure laws, such as the
 US, encryption is enough to protect the history and passwords of the
 person using the Tor Browser.

 However, for people who do not have a local adversary, the concept of disk
 avoidance in the TB design document does not make much sense. It makes TTB
 less usable than other browsers for no real benefit.

 The original context in which I proposed this solution in the paper was to
 have an "adversary wizard" such that people could choose their
 adversary/adversaries and have the disk avoidance features turn on and off
 for them, based on their selections. If that is too burdensome or not
 realistic, however, it may simply be sufficient to have an option to allow
 disk avoidance in preferences, with having the safer option (not storing
 history or passwords) as the default. I want TTB to be more usable,
 certainly, but security is most definitely the primary priority in my

 Either way, I don't think that this should be an option that remains
 unconfigurable for the average person using Tor. It may be possible to
 have three settings for this:

 1) Default, current setting. Disk avoidance remains.
 2) Disk avoidance is turned off, and all history is encrypted and requires
 a passphrase at TTB launch.
 3) Disk avoidance is turned off, no encryption is used and no passphrase
 is required. (I don't like this one, but I could see some users who
 ***really*** aren't worried about local adversaries requesting it).

 However, there are pros and cons to each of these settings. I think
 they're worth discussing in more detail, for anyone who is interested in
 weighing in.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28259#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list