[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #10885 [TorBrowserButton]: Confusing/Conflicting Info Provided About Flash in Tor Browser, Usability Issue
#10885: Confusing/Conflicting Info Provided About Flash in Tor Browser, Usability
Issue
------------------------------+---------------------------
Reporter: guranna2 | Owner: mikeperry
Type: defect | Status: new
Priority: major | Milestone:
Component: TorBrowserButton | Version:
Keywords: | Actual Points:
Parent ID: | Points:
------------------------------+---------------------------
Tor Browser 3.5.1
There is a serious conflict here between documentation for the Tor Browser
Bundle, and the interface provided by the Tor Browser. If there is
another ticket, this should be grouped in.
Not using the seperate components, noscript, torbutton, as an excuse, the
following things are incompatable:
--[1]--Buttons in noscript plugin for flash are now unchecked.(See #10772
https://trac.torproject.org/projects/tor/ticket/10772). These buttons
don't do anything--see other ticket. This is misleading to user.
--[2]--Documentation in design document
(https://www.torproject.org/projects/torbrowser/design/) says "In
addition, to reduce any unproxied activity by arbitrary plugins at load
time, and to reduce the fingerprintability of the installed plugin list,
we also patch the Firefox source code to prevent the load of any plugins
except for Flash and Gnash."
This statement in and of itself may lead a user to believe Flash is now
"Tor Safe".
--[3]--The "Disable browser plugins (such as Flash)" checkbox under
Torbutton->Preferences->Security Settings does not provide adaquate
warning to a naive user. When this is unchecked, and the browser
restarted, addons shows the addons-manager set flash to "ask to activate."
--[4]--A rather large pop-up window with generic information about plugins
possibly being dangerous shows up. Given the other points here, this
message did not seem to state clearly that Flash WILL bypass your proxy.
--[5]--The existance of a project in Tor Project called "FlashProxy".
This name is misleading. It should be changed to "FlashRelay."
The combination of all these factors led an expert user to believe that
Flash now worked with Tor Browser, had been scrutinized, and would be
proxied. Luckily, that user was using TAILS.
But this can result in immediate anonymity loss for someone else. Because
once activated, it completely appears that Flash is running in the Tor
Browser, and a naive user may think it is being proxied.
I think the Torbutton checkbox needs more information there.
Specifically, maybe renaming it to something like "Activate Flash for use
with VM Transproxy or TAILS system ONLY. Flash will not be proxied and is
not considered Tor Safe."
Simply because a setting is under "Security Settings" does not mean you
should be an oracle to know what it does. It should still be documented
and have a specific function.
Regarding ticket #10280,
https://trac.torproject.org/projects/tor/ticket/10280, this is related.
Depending on how that ticket is addressed may affect this, but this is
still a different ticket. This ticket is about usability concerns mostly,
and also documentation concerns, and wordings.
Again regarding #10772, to many buttons in too many places that don't do
what user expects--are not documented (A design document isn't really
documentation!)--this is a general problem here with Tor Browser UI design
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10885>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs