[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] To Toggle, or not to Toggle: The End of Torbutton

In a random bar about two years ago, a Google Chrome dev asked me why
Torbutton didn't just launch a new, clean Firefox profile/instance to
deal with all of the tremendous state separation issues. Simply by
virtue of him asking me this question, I immediately realized how much
better off Chrome was by implementing Incognito Mode this way and how
much simpler it must have been for them overall (though they did
not/do not deal with anywhere near as many issues as Torbutton

So I took a deep breath, and explained how the original use model of
Torbutton and my initial ignorance at the size of the problem had lead
me through a series of incremental improvements to address the state
isolation issue one item at a time. Since the toggle model was present
at the beginning of this vision quest, it was present at the end.

I realized at that same instant that in hindsight, this decision was
monumentally stupid, and that I had been working harder, not smarter.
However, I thought then that since we had the toggle model built, we
might as well keep it: it allowed people to use their standard issue
Firefoxes easily and painlessly with Tor.

I now no longer believe even this much. I think we should completely
do away with the toggle model, as well as the entire idea of Torbutton
as a separate piece of user-facing software, and rely solely on the
Tor Browser Bundles, except perhaps with the addition of standalone
Tor+Vidalia binaries for use by experts and relay operators.

The Tor Browser Bundles would include Torbutton, but we would no
longer recommend that people use Torbutton without Tor Browser.
Torbutton will be removed from addons.mozilla.org, and the Torbutton
download page will clearly state that it is for experts only. If
serious unfixed security issues begin to accumulate against the toggle
model, we will stop providing Torbutton xpis at all.

I believe this must be done for a few reasons: some usability, some
technical. Since I feel the usability issues trump the technical
ones, I'll discuss them first.

Unfortunately, the Tor Project doesn't really have funding to conduct
official usability studies to help us make the best choice for this,
but I think that even without them, it is pretty clear that this is
what we must do to improve the status quo.

I think the average user is horribly confused by both the toggle model
and the need to install additional software into Firefox (or
conversely, the need to *also* install Tor software onto their
computers after they install Torbutton). I also think that the average
user is not likely to use this software safely. They are likely to log
in to sites over Tor that they shouldn't, forget which tor mode they
are in, and forget which mode certain tabs were opened under. These
are all nightmare situations for anonymity and privacy.

On the technical side, several factors are forcing us in the direction
of a short-term fork of Firefox. The over-arching issue is that the
set of bugfixes required to maintain the toggle model is a superset of
those required to maintain the Browser Model, and contains some rather
esoteric and complicated issues that are unlikely to ever get fixed.
See https://www.torproject.org/torbutton/en/design/#FirefoxBugs for
both lists.

This means more resistance from Mozilla to get the Toggle Mode bugs
fixed or even merged, less likelihood they will be used elsewhere, and
more danger they will succumb to bitrot. Related to this, the lag time
for normal Firefox bugs between authorship and deployment can be as
long as 3 years (and counting). See for example:

The Tor Browser bugs on the other hand are more directly usable by
Firefox in its own Private Browsing Mode, which makes them more likely
to merge quicker, and be maintained long-term. Also, because we will
be releasing our own Firefox-based browser, we will also have more
control over experimenting with them and deploying these fixes to our
users rapidly, as opposed to waiting for the next Firefox release.
So, we can either invest effort in improving the UI of Torbutton to
better educate users to understand our particular rabbit-hole tunnel
vision of design choices, as well as solve crazier Firefox bugs; or we
can reconsider our user model and try to simplify our software.

We don't have the manpower (ie: enough me) to do both.

I think this means we should go with the simpler option. 

The reason I am discussing this in so much detail here is because I
believe there is a chance that there are users out there who rely on
the toggle model and/or their OS Firefox build, and may be confused or
enraged by the new model. I'm asking this list to get an idea of how
many of those users there are, and to try to understand what the
overall costs of this sort of migration are.

I also ask this because I am a heavy user of the toggle model myself,
and abandoning it is sort of a leap of faith for me, too.

So can anyone bring up any specific issues that may be caused by the

We are collecting these issues as child tickets of this bug:

As an aside, we also are collecting a similar set of issues for the
removal of an HTTP proxy entirely from the tor distribution:

Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpsXmoEEgqDt.pgp
Description: PGP signature

tor-talk mailing list