#25658: Activity 2.1: Improve user understanding and user control by clarifying Tor Browser's security features -------------------------------------------+--------------------------- Reporter: isabela | Owner: antonela Type: project | Status: assigned Priority: High | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: ux-team, TorBrowserTeam201804 | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: Sponsor17 -------------------------------------------+---------------------------
Comment (by tom): Yea. Talking about the slider settings gets confusing because different words mean different things to different people, and there are a lot of things I think we're trying to roll up into a single slider. Privacy: We've previously, and I agree, that we should not encourage or support the slider being interpreted as improving privacy. A user's privacy should be respected whether it's at Low or High; and by that I mean Fingerprinting Protection, FPI, and Circuit Isolation should always be in effect. If for whatever reason we want to loosen privacy restrictions to support web functionality - we should probably pursue well-working, useful, and informative permission choices. Like Canvas and Audio/Video. Security from Exit Nodes: I imagine this as 'None', 'Medium', and 'High'. 'Medium' blocks all Javascript, audio, video, svg, web fonts, and maybe a few other things from HTTP. High blocks all HTTP. I think we admit this is a goal of the slider by having the 'Block JS from HTTP' feature. I don't think there is any other reason to have this feature except to protect from malicious exit nodes. I would be curious to see how much of the web breaks if we broke this out, and defaulted to Medium. Security from the Web Site itself: This encompasses most of the rest of the slider features. Blocking JS from HTTPS sites. JS Engine optimizations are disabled. MathML disabled. SVG disabled, audio/video formats are disabled. This is generally what we think of as the goal of the slider, I think. Given this, I think two settings for the slider can make sense. "Do I trust this website or not?" The pain point is that the usability of disabling javascript is often so harsh that it makes it untenable... I wonder if there's anything that can be done to split that atom.... ---- I think one of the pain points we have with Tor Browser is the lack of persistent storage. We are so deathly scared of storing anything to disk that we can't save user's per-site exceptions to things. Perhaps we should reconsider this (opt-in of course.) I'd be curious to brainstorm if we could divine a storage mechanism we actually felt some measure of confident in. For example: What if we used something like Argon2 combined with a TPM-backed value? This is bypassable, but it requires on-machine brute forcing. If we developed something akin to 'Firefox Accounts', we could enable users the ability to store data on a Hidden Service and revoke authorization to it. These ideas are very 'out there'. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25658#comment:18> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs