[tbb-dev] Proposal for redesigning the security controls

Arthur D. Edelstein arthuredelstein at gmail.com
Wed Feb 7 17:56:46 UTC 2018 

On Wed, Feb 7, 2018 at 4:18 AM, Georg Koppen <gk at torproject.org> wrote:

> While preparing the proposal I tried to read up on all the older
> discussions we had about how to improve the design of our security
> controls. In particular, in your last comment on #21034 you seemed to be
> thinking that we could largely avoid doing what you are suggesting above
> by addressing the tickets you mentioned there (and probably more).
> That's actually part of the proposal as written (see section 3.3). So, I
> am a bit curious whether you changed your mind and if so to hear about
> new arguments.

My original thinking for #21034 was to try to address two problems:
  (1) The set of options exposed by NoScript is complex.
  (2) Users may be trying to use the (global) security slider for
individual sites. I have. :(
As I sort of mentioned in that comment in #21034, I think #22981
(enabling video/audio on HTTPS sites for Medium security) will be
particularly helpful for these two problems by making it rarely
necessary for users at Medium Security to make adjustments via
NoScript or the security slider. But, on the other hand, if we decide
against #22981, then I think #21034 remains important.

Also, since I wrote that comment, I have realized there is a another problem:
  (3) NoScript does not respect FPI.
so I do lean more toward some kind of solution for #22981 again.

Each of (1), (2), and (3) have different possible solutions. For me, a
per-site security toggle seems to be the cleanest solution to all
three issues. But of course there are many possible alternatives that
would solve these issues to varying degrees.

> [snip] After all you allowed it in the first place in any context
> and hence in this particular site context as well.

Can you explain what you mean by this? I'm not sure I understand it.

> [snip] As indicated above that does not help with an easy answer to the
> important question about which security state I am actually in.

I agree it would be good to display an indicator about what global
security state you're in.

>> [snip] So, my suggestion would be to expose a
>> single toggle option: namely, [all-features-disabled |
>> all-features-enabled].
>
> Hm. I am not sure yet. I am not convinced we need to expose users to the
> dangers of WebGL, SVG etc. just because they need scripts enabled on a
> website.

Suppose you think there is a 10% chance that website X.com will be
serving an exploit. Do you enable scripts, but not WebGL? I feel this
question is too large a burden on users. It requires them to
understand what scripts and WebGL are! :) And it presumes some level
of risk analysis that is basically impossible (what's more dangerous,
scripts, or WebGL?). So I think we should provide some sort of
simplified set of options that guide users to reasonable decisions.

Maybe we could make progress by considering a set of
thought-experiment user stories (or even, user studies) visiting
particular websites and describing what the decision making process
should be. For example, if I visit YouTube (which has scripts, video
and audio) under High Security or under Medium Security, what should
my decision making process be? How many decisions/clicks should be
required to get the website working, and at what stage do I decide to
give up for security reasons? What security/privacy mistakes could I
make and how can Tor Browser prevent those mistakes? Other important
sites might be online games, social media, Google documents, etc.

Arthur

More information about the tbb-dev mailing list