[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #25658 [Applications/Tor Browser]: Activity 2.1: Improve user understanding and user control by clarifying Tor Browser's security features



#25658: Activity 2.1: Improve user understanding and user control by clarifying Tor
Browser's security features
-------------------------------------------+---------------------------
 Reporter:  isabela                        |          Owner:  antonela
     Type:  project                        |         Status:  assigned
 Priority:  High                           |      Milestone:
Component:  Applications/Tor Browser       |        Version:
 Severity:  Normal                         |     Resolution:
 Keywords:  ux-team, TorBrowserTeam201810  |  Actual Points:
Parent ID:                                 |         Points:
 Reviewer:                                 |        Sponsor:  Sponsor17
-------------------------------------------+---------------------------

Comment (by arthuredelstein):

 Replying to [comment:34 gk]:
 > The security risks don't map the the underlying transport ot its
 security being used. The security risks we try to tackle are to a large
 part due to the *content* that gets transferred. Someone injecting this
 content on the path from server to user is an important risk but just one
 of those we need to defend against. This binding the security state to
 HTTP/HTTPS is not sufficient. Moreover, the strongest security we want to
 provide is something like the current "safest" option we have. We won't be
 able to enable this by default probably forever as the breakage is too
 high, irrespective of the transport being used.

 We have discussed this issue previously, but I wanted to try laying it out
 in more detail and see if that helps to clarify the different approaches.
 :)

 We already have a "Safest" setting that maximizes security guarantees. I
 agree we shouldn't lower those guarantees. We also have a "Safe" (Low)
 setting which maximizes usability and already has the lowest possible
 security guarantees. That probably shouldn't change for now.

 So the question is: what should the "Safer" (Medium) level be? Given that
 the three levels are implementing a tradeoff between security and website
 usability, I think we should be willing to consider any Pareto-optimal
 choice, even if it reduces security somewhat. What is important is that
 the "Safer" level is sufficiently distinct from both "Safest" and "Safe"
 so that it is worthwhile to make it available.

 Let's compare two possible "Safer" (Medium) Security designs:

 Design (1), the status quo (Tor Browser 8.0.x):

 || || Unblocked || Blocked ||
 || HTTP || WebFont, blob, SVG || scripts, WebGL, Video, Audio, WebAudio,
 MathML, JIT ||
 || HTTPS || WebFont, blob, SVG, scripts, WebGL || Video, Audio, WebAudio,
 MathML, JIT ||

 Design (2), proposed in comment:33:
 || || Unblocked || Blocked ||
 || HTTP || || WebFont, blob, SVG, scripts, WebGL, Video, Audio, WebAudio,
 MathML, JIT ||
 || HTTPS || WebFont, blob, SVG, scripts, WebGL, Video, Audio, WebAudio,
 MathML, JIT || ||

 So, which of these two options is more secure? (1) has better security for
 HTTPS and (2) has better security for HTTP. Overall security depends on
 one's threat model.

 Consider the two main potential threats:
 (A) '''Hostile content injected at exit nodes, or between server and exit
 node.''' To combat this threat, it seems that Design (2) is somewhat
 better because it blocks the most content in HTTP.
 (B) '''Hostile content from the website itself, or subresources.''' Which
 design is safer depends on whether the hostile site is HTTP or HTTPS. If
 an HTTP site is hostile, Design (2) is preferred. If an HTTPS site is
 hostile, Design (1) is preferred.

 The next question: which of the two threats are dominant in a real user's
 threat model? I think there are different categories of users:

 (I) '''Users who are unconcerned about threats or unable to handle broken
 websites.''' For these users, "Safe" (Low) security is the (default)
 choice.
 (II) '''Users who only visit "trustworthy" sites.''' (I define
 "trustworthy" as websites the user expects will not send malicious code.)
 For these users, Threat (A) is the dominant threat and in this case,
 "Safer" security seems appropriate, and Design (2) is better.
 (III) '''Users who visit "untrustworthy" sites.''' For these users, Threat
 (B) can be the dominant threat. (But Threat (A) still exists for these
 users to the same extent as for Category (II) users. The total risk of
 being exploited is higher.) Assuming they are using the "Safer" level,
 these users may prefer Design (1), at least for HTTPS.

 Perhaps, up to this point, my description is fairly uncontroversial. ;) I
 hope this kind of analysis is useful regardless of our final decision for
 the "Safer" level.

 ----

 But now I want to think further about Category (III) users. These users
 are visiting untrustworthy websites; they are high-risk users. Why would
 the user want to leave SVG, WebFonts, or scripts unblocked if they think a
 site is untrustworthy? While it's true that some websites will work
 better, it seems dangerous to assume we know which type of content will be
 exploited by a malicious website. (I'm open to being convinced that there
 is a much greater risk from video than from scripts, say, but I haven't
 seen evidence for that.) So it seems to me that Category (III) users
 should generally use the "Safest" setting instead of "Safer" Design (1).

 What about relative usability of these two designs for the "Safer" level?
 I think Design (2) is clearly more usable because:
 * Design (2) is simpler for users to understand than Design (1). For every
 website, we either have initial protection "on" or "off", corresponding to
 whether the site is high risk or low risk.
 * In Design (2), HTTPS websites (such as https://youtube.com) will work
 correctly by default.

 To sum up, my feeling is that "Safer" level with Design (2) offers better
 security and better usability to users who habitually visit "trustworthy"
 sites only. And the "Safest" level already provides the comprehensive
 protections needed for high-risk users who visit "untrustworthy" sites.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25658#comment:37>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs