[tor-project] Crowdsourcing some guidelines for what it means to make a web site "Tor-friendly"

Tue Jan 2 14:01:00 UTC 2018

Allen Gunn:
> Hello friends,
> 
> I hope 2018 is off to a good start wherever this finds you.
> 
> So for those who aren't aware, my NGO, Aspiration, advises other NGOs
> and activists on technology as part of our core mission.
> 
> And a common piece of advice we proffer is "make sure your web site
> works well with Tor Browser", i.e., doesn't use Flash or overly depend
> on Javascript.

For *years* I've had a custom "badge" of sorts on queair.net indicating
the site is "Tor friendly." It seems a worthwhile low-level campaign to
wage that might not be relevant today, but can be tomorrow.

A well-signed but small log (maybe like the 'valid css' one?) could be
useful.

Or even a "Tor-friendly check" www-based tool might be an interesting
direction. It could check Flash easily enough, and maybe diff the site
over plain old HTTP versus over torsocks.

> 
> The more I have given that advice, the more I have wondered if it was
> documented anywhere what it actually takes to be a "Tor-friendly" site.

Yes.  Simple enough with old-school HTML and perl-based mailforms. Not
so much with more complex contemporary sites.

> 
> Big thanks to GeKo, who first confirmed for me that no such
> documentation seems to exist. And then for helping me to bootstrap this
> page:
> 
> https://pad.riseup.net/p/torfriendlysite

While not prolific, it's a solid start.

> 
> I'm writing to ask folks on this list to both add any thoughts you have
> on the matter, and to correct or comment on anything that's already
> there and doesn't seem quite right.
> 
> Any contributions, both to the pad or emailed to me directly, are most
> appreciated.
> 
> This is especially true if you know of relevant documentation anywhere
> else that I should be looking at.
> 
> Once folks have weighed in, I will figure out where to post this on the
> Tor wiki and elsewhere in order to make it more broadly and reliably
> available.
> 
> And if for any reason you think this is an ill-informed endeavor, I
> welcome that feedback as well :^)

All of the guidelines might be useful for sites not yet online, but for
sites already up and functional, migrating to "Tor friendly" is going to
be the challenge.

I also think it might be useful to give a brief "tagline" to the idea of
a Tor friendly www site, such as "allowing anonymity by design, not by
privacy policies" since I think it could be counterposed to long and
legelese-written privacy policies. From one angle, it's about enabling
anonymity by the user, and not necessarily doing anything in particular
for them.

g

-- 

34A6 0A1F F8EF B465 866F F0C5 5D92 1FD1 ECF6 1682

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20180102/ceff26ab/attachment.sig>