[tor-dev] Rethinking Bad Exit Defences: Highlighting insecure and sensitive content in Tor Browser
jeremyrand at airmail.cc
Sun Apr 2 02:46:51 UTC 2017
-----BEGIN PGP SIGNED MESSAGE-----
> It seems reasonable but my first question is the UI. Do you have a
> proposal? The password field UI works, in my opinion, because it
> shows up when the password field is focused on. Assuming one uses
> the mouse to click on it (and doesn't tab to it from the username)
> - they see it.
> How would you communicate this for .onion links or bitcoin text?
> These fields are static text and would not be interacted with in
> the same way as a password field.
> A link could indeed be clicked - so that's a hook for UX... A
> bitcoin address would probably be highlighted for copying so that's
> another hook... But what should it do?
Bitcoin has a URL scheme that is increasingly used, so the UI
mechanism could be the same as for .onion links. However, for both
.onion links and for bitcoin: links, there's a risk that the website
will simply ask the user to manually copy the .onion URL or Bitcoin
address -- I doubt that most users will recognize this as an attempt
to evade detection. So any UI mechanism will probably need to
recognize any string that looks like a .onion URL or a Bitcoin
address, even if they're not links.
- -Jeremy Rand
Lead Application Engineer at Namecoin
Mobile email: jeremyrandmobile at airmail.cc
Mobile PGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C
Send non-security-critical things to my Mobile with PGP.
Please don't send me unencrypted messages.
My business email jeremy at veclabs.net is having technical issues at the
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the tor-dev