[tbb-dev] Proposal for redesigning the security controls
Georg Koppen
gk at torproject.org
Thu Feb 1 08:27:00 UTC 2018
Hi!
I managed to come up with a proposal for redesigning the security
controls (see below). As always feedback and discussion is very welcome.
Filename: XXX-redesign-security-controls.txt
Title: Redesign of Tor Browser's Security Controls
Author: Georg Koppen
Created: 1-February-2018
Status: Open
1 Introduction
Tor Browser is well-known for its defenses against web tracking and
fingerprinting. However, providing Tor users just a privacy-enhanced
browser is often not enough to safeguard against deanonymization
attacks as those protections might simply get bypassed by exploiting
browser vulnerabilities. Tor Bowser therefore offers several security
enhancements as well to reduce that risk. Most of those features are
provided by extensions which Tor Browser includes, namely Torbutton,
NoScript, and HTTPS Everywhere.
1.1 Motivation
By default Torbutton, NoScript, and HTTPS Everywhere are visible on
the toolbar in Tor Browser and there is no hint about possible
security enhancements, with the exception of a notification bar shown
on first start and pointing to our security slider. This has a number
of suboptimal outcomes which this proposal seeks to address:
a) Security controls are scattered over and within different
extensions. That makes it hard to understand which knobs a user
could turn to improve their security settings while not being
exposed to additional fingerprinting risks.
b) The toolbar gets cluttered with three additional icons that provide
access to both per-site and global security settings. This is
confusing to users. Part of the confusion stems from mixing
non-global with global security controls on the toolbar not
indicating which of them just affect a particular website while
others affect the whole browser session. Another part is that users
feel the need to navigate through different levels of extension
menus to make basic adjustments to their security level.
c) There is the security vs. usability trade-off and little incentives
to change the default which comes with Tor Browser. That results in
users just staying on the lowest security level while at least some
of them could get convinced to raise that level if we managed to
provide an improved experience around our security controls, both
functionality- and UX-wise.
1.2 The State of the Security Controls
That is how the toolbar in Tor Browser looks like currently:
----------------------------------------------------------------------
| --- --- ------------------------- --------------- --- --- |
| |N| |T| | URL bar | | Search bar | |H| |M| |
| --- --- ------------------------- --------------- --- --- |
----------------------------------------------------------------------
N = NoScript button
T = Torbutton button
H = HTTPS Everywhere button
M = (Hamburger) Menu button
We include HTTPS Everywhere to help against potential Tor Exit node
eavesdroppers and active attackers. To provide users with optional
defense-in-depth against JavaScript and other potential exploit
vectors, we use NoScript modifying some of its defaults[1]. Torbutton
includes the security slider which is meant to give users an easy way
to adjust their security level from Standard to Safest, depending on
their perceived needs.
2 Proposal
Generally, items on the toolbar serve two important purposes: they are
shortcuts to features often used and they inform about current state.
With that in mind we can think about redoing our toolbar helping that
way with issues outlined in 1.1 a) and b). The remaining problems
(part of 1.1 b) and 1.1 c)) will be addressed in section 2.2 and 3.3.
2.1 Restructuring the Toolbar
2.1.1 Removing HTTPS Everywhere and NoScript from the Toolbar
I'd propose we remove both NoScript and HTTPS Everywhere from the
toolbar and leave Torbutton on it for now:
Torbutton serves a number of purposes and access to security settings
is just one of them. Moreover, we are in the process of restructuring
at least part of its functionality right now[2] and more will likely
happen in the future in this area. We can think about whether
Torbutton should remain on the toolbar after that transition is done.
HTTPS Everywhere has the option to block all unencrypted requests and
apart from that is just enforcing HTTPS connections according to the
rulesets it ships, which is our default. There is not much gain
security-wise leaving it on the toolbar and users might just be
confused by the "Block all unencrypted requests" option. I'd argue as
well that the status indicator is not important enough to justify
precious space on the toolbar either.
NoScript comes with a myriad of configuration options. We try to
abstract that away by shipping a list of defaults for Tor Browser[1].
But still having NoScript easily accessible makes it dangerous to
choose the wrong option, especially as the majority of its
functionality does not need to be exposed for Tor Browser users.
Moreover, the scary warning icon which is visible when NoScript
allows JavaScript is highly confusing to users as we ship this
configuration as our default. Removing the icon from the toolbar
should solve those two problems. We might want to think about exposing
the small amount of functionality which especially users with the
security slider set to "Safest" might need: managing finer-grained
script control. See section 2.2 for that.
2.1.2 Adding a Security Settings Button to the Toolbar
I'd like to propose a new button on the toolbar giving easy access to
what is essentially the tool that we want to promote: the security
slider. We could use an icon similar to the one suggested by
ninavizz[3] or come up with a different solution. The button would
open the security slider menu with a right-click. With a left-click,
keyboard shortcuts, and mouse-wheel scrolling one can adjust the
security level directly.
The new toolbar would look like:
----------------------------------------------------------------------
| --- --- ------------------------------- --------------- --- |
| |T| |S| | URL bar | | Search bar | |M| |
| --- --- ------------------------------- --------------- --- |
----------------------------------------------------------------------
T = Torbutton button
S = Security Settings button
M = (Hamburger) Menu button
Note: The reorganized toolbar has the additional benefit that no
per-site state is shown anymore on it, which should lead to less
confusion about whether the settings visible there apply globally or
not.
2.2 Dealing with Per-Site Security Settings
There are a number of features disabled on higher security settings as
they are potentially dangerous, yet sometimes users need or want to
allow them anyway. So far, these options were exposed by click-to-play
buttons or directly in the NoScript user interface accessible over the
toolbar button.
With NoScript gone from the toolbar the click-to-play options remain,
but easily allowing JavaScript per site and making the status of
NoScript related settings visible is not available anymore. To solve
this I'd propose to follow the path we are currently taking with our
circuit display redesign[2]: we are moving site specific settings into
the URL bar. One way to do that would be to use the Permissions
section which opens after clicking on the "i" icon in the URL bar.
However, while showing the security permissions the user has granted
there (too) is a good idea, it does not solve the problem of easily
allowing e.g. JavaScript on a website, and seeing its status without
the need to click on any button. We could have small icons on the
right side of the URL bar accomplishing that, though. That way, users
could easily see if they had JavaScript, or WebGL, or ... enabled on
that particular website in case they are on higher security levels.
Moreover, they would be able to adjust those permissions quickly
without the need to deal with any NoScript user interface or
additional menus just by toggling those icons. By default only the
option to temporarily allow JavaScript would be visible. All the
click-to-play features could be made visible once there is a
respective object embedded in a website or, even better, once the user
actually chose to unblock any of them.
3 Additional Considerations
3.1 Where Are My Extensions Gone?
Some users might be confused and think NoScript and HTTPS Everywhere
are gone now, plus they want to have their "old" way of setting their
per-site settings back. That's okay and they can easily add NoScript
and HTTPS Everywhere back to their toolbar if they wish. It would be
good to point this out in the transition phase to the new interface at
least.
3.2 How Do We Inform Users about the New Interface?
I don't know yet how we ideally inform users about the new interface.
That is not part of this proposal but might merit an own one.
3.3 Should We Change the Default Security Level?
As much as I wished to change the default security level, to e.g.
"Safer", right now I think we are not there yet. Part of the security
control redesign should be fixing bugs that make the current and new
interface less effective and painful to use[4][5][6][7]. We could
revisit that discussion, though, once we have solved the low hanging
bugs.
[1]
https://gitweb.torproject.org/builders/tor-browser-build.git/tree/projects/tor-browser/Bundle-Data/linux/Data/Browser/profile.default/preferences/extension-overrides.js
[2] https://trac.torproject.org/projects/tor/ticket/24309
[3] https://trac.torproject.org/projects/tor/ticket/21183
[4] https://trac.torproject.org/projects/tor/ticket/22981
[5] https://trac.torproject.org/projects/tor/ticket/22985
[6] https://trac.torproject.org/projects/tor/ticket/20314
[7] https://trac.torproject.org/projects/tor/ticket/21805
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20180201/bc4985df/attachment.sig>
More information about the tbb-dev
mailing list