[tor-dev] Rethinking Bad Exit Defences: Highlighting insecure and sensitive content in Tor Browser

Donncha O'Cearbhaill donncha at donncha.is
Thu Apr 6 12:53:00 UTC 2017 

Tom Ritter:
> It seems reasonable but my first question is the UI. Do you have a
> proposal?  The password field UI works, in my opinion, because it
> shows up when the password field is focused on. Assuming one uses the
> mouse to click on it (and doesn't tab to it from the username) - they
> see it.
> 
> How would you communicate this for .onion links or bitcoin text? These
> fields are static text and would not be interacted with in the same
> way as a password field.
> 
> A link could indeed be clicked - so that's a hook for UX... A bitcoin
> address would probably be highlighted for copying so that's another
> hook... But what should it do?

Thank you all for the suggestions in this thread. I agree that we need
to tie down a preliminary UI. I'm seeing two key hooks that we could use:

* Detecting navigation from an insecure page to an onion URL or
bitcoin:// address.
* Reading and alerting to Bitcoin or onion addresses in the clipboard
buffer.

I've been working on a proof-of-concept extension which implements both
of these hooks.

The "clipboardRead" permission is needed to read the contents of the
clipboard from a Firefox extension. This was implemented in Firefox 54
(2017-02-13) in Mozilla bug #1312260 [1]. Unfortunately it will be quite
some time before Firefox 54 is included in an ESR release. The Mozilla
patch for this permission is < 100 lines. Is this a feature that the TBB
team might consider back-porting to Tor Browser?

I agree with David, this UI should be as intrusive as possible to
prevent users from shooting themselves in the foot. IMO navigation to
onion URLs from HTTP should be completely blocked. I also think that we
should wipe the users clipboard buffer if we detect a valid Bitcoin
address in it.

The UI could suggest that a user manually retypes the Bitcoin or onion
address if they are certain that it is correct. I hope this type of
intrusive warning will reduce risky behaviour and encourage any Tor
related web services to move to TLS only.

I'll try to report back with a demo for testing next week. Please reply
if you have any comments or suggestions.

Regards,
Donncha

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1312260


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20170406/ab9e448e/attachment.sig>

More information about the tor-dev mailing list