[tor-talk] Tor Browser Bundle: Usability Improvement Proposal (windows)

Fabio Pietrosanti (naif) lists at infosecurity.ch
Wed Oct 12 07:49:06 UTC 2011


On 10/12/11 12:10 AM, Greg Kalitnikoff wrote:
> I speak Russian, but I don`t think those people would be interested in
> such documents. I made some little more deep research for this
> conversation and as I see all that they did was getting TBB,
> unpacking it, adding some bookmarks and tweaks to Firefox profile
> (just like branding) and packing it back to "click-and-run" executable.
> As the point of this thread was about making TBB more convenient to
> "dumb people", we and you as developer can ignore all except
> technics of packing stuff, because main goal is around that "click
> and run" thing, right?
Hi all,

i didn't know about all that customized TorBrowserBundle, but this
confirm that there is a community need to:
- Improve the usability of TorBrowserbundle (click-and-run)
- Customize/Brandize/OEM the TorBrowserBundle

That means that the Tor Project should provide "it's official way" of
implementing this "OEM customized version".

If i understand correctly this SBrowser282 doesn't introduce any kind of
vulnerability or security issue but they just made:
- Click-and-run executable (like the beginning of this thread)
- Changed executable icons
- Add some firefox bookmarks
- Changed firefox start-page

I think that we should open the discussion on the two topics that are:
- Usability of the TorBrowserBundle.exe installer
- Customization of TorBrowserBundle.exe by third parties

==== Usability of the TorBrowserBundle.exe installer
On that topic i really think that the click-and-run is a desiderable
behaviour for most users.
Most portable apps work that way, click-and-run.

Now TorBrowserBundle doesn't provide "an installer" or an "installation
wizard" but just an guide-less, information-less "extraction window".

I see a couple of option:
 * Or we implement "a real installer" (not just an "an extracter") that
provide useful information to the user guiding him trough a wizard
 * Or we implement a "click-and-run" approach that's desired behavior of
a "Portable App"

==== Customization of TorBrowserBundle.exe by third parties

On that topic i understand the russian guys needs.
I think that Tor Project should provide a way to "customize the
TorBrowserBundle" without breaking his integrity.

To do so i would suggest to allow customization of:
 * Executable Logo
 * Default Firefox Bookmark
 * Default Firefox Start Page
 * Installation Method: Click-and-Run or Manual Extractor

That kind of information "could be stored" into Windows PE resources and
edited with a "resources editor":
http://www.pendriveapps.com/xn-resource-editor/ .
The Installer will behave accordingly to Click-and-Run or Manual Extractor.
The Firefox will behave with the appropriate Bookmark/Start Page as per
TorBrowserBundle OEM customization.

This would allow a third party to make "their own" TorBrowserBundle by
preserving the integrity of the installation itself and by allowing to
configure the desired behavior.

I think it would be better to think about providing an "official way" to
do modifications to the TorBrowserBundle.exe:
- without breaking the security design
- with "co-branding" (no rebranding, that means accomodating an
"additional splash screen logo and not a replacement)
- reduced effort for third party that want to make such OEM (no
recompilation, just minor modification to Tor release binaries)
- Documentation to follow a specific procedure to customize it
 and with reduced

What does the Tor Community think about such an approach?


-naif


More information about the tor-talk mailing list