#25658: Activity 2.1: Improve user understanding and user control by clarifying Tor Browser's security features -------------------------------------------+--------------------------- Reporter: isabela | Owner: antonela Type: project | Status: assigned Priority: High | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: ux-team, TorBrowserTeam201810 | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: Sponsor17 -------------------------------------------+---------------------------
Comment (by gk): Replying to [comment:43 arthuredelstein]: > Replying to [comment:41 gk]: > It seemed to me this was a good time to discuss the issue because the user interface design is closely connected to the behavior of the global and per-site safety levels. If we redesign the behavior of the security levels after a UI redesign, then it will mean we have to redesign the UI yet once more. Well, maybe. I guess it depends on what new behavior we come up with. E.g. if the medium settings just change their semantics and all things stay equal then it's not that much of a change (maybe some labels would need to get adjusted) as the medium level is just a small part of the slider. But, yes, maybe there is more to change. Regardless, a bunch of things come to mind here: 1) UI design like general design and development is an iterative process. It's not finished. So, yes, we might need to redesign the UI again but that's part of the process and not necessarily something which is a bad thing per se. 2) I am not convinced the concept of a user trusting a site should play a role in defining our security slider settings. First of all, how is a user making an informed decision here and what does it mean at all "that a user expects a website will not sending malicious code" to a normal user? Secondly, we hardly want to redesign our slider every time our user live through a big change in trustworthiness, say, because of recent events in news. Rather, I think we as experts should take the burden off of users to decide "Is foo.com trustworthy right now" providing security settings based on hard data and a threat model. Thirdly, the recent security release made by Firefox is still vivid in my mind. It fixed two RCEs in JIT code. There would be no protections against those on the new "medium" level for HTTPS users. I think that's the wrong trade-off given our list of adversaries and their capabilities (e.g. compromising ad servers to serve malware which happened in the past) and the high amount of exploitability in that component and that not allowing JIT is to a very large extent not something that comes with functionality loss. (There is more to say to your proposal, of course. A good place for that would be on our mailing list, once we discuss a concrete proposal for redesigning the semantics of our slider settings, which brings me to my third point) 3) It's not clear to me that we actually need the compromise you are envisioning in comment:37. Maybe we can fix up the vast majority of the medium level shortcomings, as said in section 3.3 in the proposal we discussed, and that would already be enough to make the medium level usable? Maybe we could even set it as the default mode then given the Tor Browser context? Or even just ship two possible settings which would correspond to "safer" and "safest" as we have them today? So, it seems smart to me to revisit the semantics of the slider once we solved the low- hanging fruits. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25658#comment:44> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs