[tor-dev] Rethinking Bad Exit Defences: Highlighting insecure and sensitive content in Tor Browser

Tom Ritter tom at ritter.vg
Thu Apr 6 13:58:46 UTC 2017

On 6 April 2017 at 07:53, Donncha O'Cearbhaill <donncha at donncha.is> wrote:
> Tom Ritter:
>> It seems reasonable but my first question is the UI. Do you have a
>> proposal?  The password field UI works, in my opinion, because it
>> shows up when the password field is focused on. Assuming one uses the
>> mouse to click on it (and doesn't tab to it from the username) - they
>> see it.
>> How would you communicate this for .onion links or bitcoin text? These
>> fields are static text and would not be interacted with in the same
>> way as a password field.
>> A link could indeed be clicked - so that's a hook for UX... A bitcoin
>> address would probably be highlighted for copying so that's another
>> hook... But what should it do?
> Thank you all for the suggestions in this thread. I agree that we need
> to tie down a preliminary UI. I'm seeing two key hooks that we could use:
> * Detecting navigation from an insecure page to an onion URL or
> bitcoin:// address.
> * Reading and alerting to Bitcoin or onion addresses in the clipboard
> buffer.
> I've been working on a proof-of-concept extension which implements both
> of these hooks.
> The "clipboardRead" permission is needed to read the contents of the
> clipboard from a Firefox extension. This was implemented in Firefox 54
> (2017-02-13) in Mozilla bug #1312260 [1]. Unfortunately it will be quite
> some time before Firefox 54 is included in an ESR release. The Mozilla
> patch for this permission is < 100 lines. Is this a feature that the TBB
> team might consider back-porting to Tor Browser?
> I agree with David, this UI should be as intrusive as possible to
> prevent users from shooting themselves in the foot. IMO navigation to
> onion URLs from HTTP should be completely blocked. I also think that we
> should wipe the users clipboard buffer if we detect a valid Bitcoin
> address in it.
> The UI could suggest that a user manually retypes the Bitcoin or onion
> address if they are certain that it is correct. I hope this type of
> intrusive warning will reduce risky behaviour and encourage any Tor
> related web services to move to TLS only.

[no hats]

Please no. Please give any sort of intrusive whatever I have to click
through but do not make me manually retype a bitcoin or onion address.
This is a usability nightmare, I would prefer you completely hide the
value entirely, so the user thinks it's a problem with the website
rather than hating Tor Browser.

Here's another idea besides click-through banners: using the
extension, create some sort of scratchpad that auto-populates the
bitcoin/onion address (and the user's Exit Node). Then reload the page
in a new circuit. Detect or prompt the user to compare them. If
they're the same, say "Phew, okay everything seems to be okay" and if
they're not, say "Jinkies! Would you consider pasting this information
in a bug report so we can investigate?"

Caveat: I don't know how common it is for HTTP websites with bitcoin
addresses to auto-generate payment addresses for privacy.


More information about the tor-dev mailing list