[tor-bugs] #5273 [Firefox Patch Issues]: Update TBB design doc for 2.3.x-alpha

[Tor Bug Tracker & Wiki]

#5273: Update TBB design doc for 2.3.x-alpha
----------------------------------+-----------------------------------------
 Reporter:  mikeperry             |          Owner:  mikeperry                    
     Type:  defect                |         Status:  new                          
 Priority:  major                 |      Milestone:  TorBrowserBundle 2.3.x-stable
Component:  Firefox Patch Issues  |        Version:                               
 Keywords:  MikePerry201207       |         Parent:                               
   Points:                        |   Actualpoints:                               
----------------------------------+-----------------------------------------

Comment(by gk):

 Replying to [comment:17 mikeperry]:
 > Replying to [comment:16 gk]:
 > > Replying to [comment:15 mikeperry]:
 > > > I still hate the beggar's header and dislike the adblocker ideas,
 but siloing them per url bar at least mitigates the damage they can do.
 The per-site adblocker might also drive per-site incentive for ads to not
 suck more than a global adblocker would.
 > > I am lost here as well. But maybe your ideas are due to the "Correlate
 activity across multiple site visits" adversary goal you thought about
 adding for completeness' sake? If so, I do not see how options buried in a
 context menu which are off by default could defend against it.
 >
 > The core idea here is rooted in the assumption that the crazies who
 think they know better (but really do not) will enable this stuff by
 default globally right now by way of installing Adblock or clicking the
 Beggar Checkbox... That behavior (which we probably can't expect to stop)
 is worse for the total population's anonymity set than per-site options.
 At least, I think so.. Are there reasons to the contrary?

 We'll see. What makes you confident that people do not install a global
 adblocker anymore or do the four clicks to activate DNT globally? To make
 that point more clear: Imagine the user that does these things globally
 because she is not happy with the current TBB in this regard. I would
 strongly argue that she is not fiddling with filterlists but just does not
 want to get tracked (globally!). I mean if I fear tracking and take the
 effort to install an add-on that defends against it and try to get the DNT
 option activated in the pref menu I think that tracking is bad in general
 and not just on google.com, right? Now, let's suppose you implement that
 option and let this user decide to use your context menu to express her
 beliefs. What is she going to do? Does she really go on every site she
 visits into the context menu and to make sure that the options for this
 site are checked (and stay checked! she might not get the per site logic
 behind your idea)? Or is she going to do the thing she a) is usded to do
 and b) that is much, much less error-prone c) that already protects before
 the site is loaded the first time d) is much, much more convenient:
 setting DNT to true and installing an add-on globally? I think you'll lose
 the per side battle wrt to DNT and Adblock and it is just wasted effort.

 There are other nasty side-effects of this design decision: it makes
 explaining the privacy by design idea even harder (if one really ships a
 privacy by design browser but still needs some exceptions there seems
 something wrong with the design, right?), it suggests you are okay with
 DNT and adblocker add-ons generally (yes, you are not but shipping those
 options even if in a context menu by default suggests that to the laymen.
 They may even say: "Wow, finally, Mike got it and I am right in using DNT
 and Adblock globally as I have always done!"). You have to take new attack
 vectors into account (e.g. bad exits trying to mess with filterlists etc.)
 which in turn makes it even more difficult to understand and evealuate the
 security implications of your design...

 All in all, I really doubt whether that idea is worth the effort,
 especially as you have to educate/explain the design decisions to the the
 users anyway. If so, lets not distract from getting the double-keying idea
 to them.

 > I also expect that certain sites will have homogenous requirements wrt
 ad blockers and plugins/media because people will naturally decide that
 those sites suck in similar ways... But perhaps that is a poor assumption?
 If so, please explain how/why?

 Don't know yet as I am not sure whether I understand you correctly. What
 do you mean with "homogenous requirements wrt ad blockers and
 plugins/media" and how does this fit to the issue whether site-based
 options for adblockers etc. or no options at all should be implemented in
 the default TBB?

 > As a general matter, I prefer allowing user choice if possible, but it
 also seems clear that user choice for global behaviors is really, really
 bad... Allowing easy access to per-site choices would be way better by
 comparison...

 Choice is good but do users really want to have per site choices regarding
 ad-trackers and DNT? What makes you believe so? And why does that not
 already exist as an add-on and all anti-tracker add-ons are working
 globally (at least all I can currently come up with)? If there is even a
 tiny demand for a specific wish there usually seems to exist an add-on for
 it on AMO.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5273#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online