[tor-bugs] #25197 [Applications/Tor Browser]: Design document isn't precise about "Security" and "Privacy".

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Feb 9 23:08:16 UTC 2018 

#25197: Design document isn't precise about "Security" and "Privacy".
--------------------------------------+--------------------------
 Reporter:  arthuredelstein           |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-spec                  |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by arma):

 This ticket started when I saw tor browser devs saying things like "that's
 security, not privacy", which is a recipe for confusion in our modern "you
 have to choose between security and privacy" world.

 I think we have been using two notions:

 * Code security, or implementation security, which is about whether the
 browser can be exploited, which of course then could lead to
 deanonymization, identification, etc.

 * Privacy, which includes fingerprinting defense, but also proxy bypass
 defense, so in a sense it's all of the ways that things can go wrong for
 the user without implementation bugs.

 Our name "security slider" is strictly supposed to be the first one. That
 is, all settings of the security slider are intended to provide all of our
 privacy protections. That is, if a Tor Browser dev ever says "well you set
 your security slider to low so i figured i shouldn't enable that expensive
 tracking protection", then that is a mistake.

 (Arthur correctly points out that reducing surface area, which primarily
 aims to reduce exposure to implementation bugs aka exploits, can also
 improve things against fingerprinting and tracking and so on. That blurry
 line certainly confuses the issue, but it doesn't by itself mean we aren't
 talking about two different topics.)

 The suggestion in this ticket is to (a) have a section towards the top of
 the design doc explaining this distinction between the two goals, and then
 (b) make sure that the rest of the design doc uses these two goals
 correctly, i.e. doesn't confusingly switch between one word and the other.

 It's also worth brainstorming more intuitive terms for each of these
 goals. I think "code security" or "implementation security" is a pretty
 good one for the first, but the privacy one is broad enough that it's not
 obvious which term would be best. Let's not let a lack of the best term
 slow us down too much though. :)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25197#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list