In a random bar about two years ago, a Google Chrome dev asked me why Torbutton didn't just launch a new, clean Firefox profile/instance to deal with all of the tremendous state separation issues. Simply by virtue of him asking me this question, I immediately realized how much better off Chrome was by implementing Incognito Mode this way and how much simpler it must have been for them overall (though they did not/do not deal with anywhere near as many issues as Torbutton does)... So I took a deep breath, and explained how the original use model of Torbutton and my initial ignorance at the size of the problem had lead me through a series of incremental improvements to address the state isolation issue one item at a time. Since the toggle model was present at the beginning of this vision quest, it was present at the end. I realized at that same instant that in hindsight, this decision was monumentally stupid, and that I had been working harder, not smarter. However, I thought then that since we had the toggle model built, we might as well keep it: it allowed people to use their standard issue Firefoxes easily and painlessly with Tor. I now no longer believe even this much. I think we should completely do away with the toggle model, as well as the entire idea of Torbutton as a separate piece of user-facing software, and rely solely on the Tor Browser Bundles, except perhaps with the addition of standalone Tor+Vidalia binaries for use by experts and relay operators. The Tor Browser Bundles would include Torbutton, but we would no longer recommend that people use Torbutton without Tor Browser. Torbutton will be removed from addons.mozilla.org, and the Torbutton download page will clearly state that it is for experts only. If serious unfixed security issues begin to accumulate against the toggle model, we will stop providing Torbutton xpis at all. I believe this must be done for a few reasons: some usability, some technical. Since I feel the usability issues trump the technical ones, I'll discuss them first. Unfortunately, the Tor Project doesn't really have funding to conduct official usability studies to help us make the best choice for this, but I think that even without them, it is pretty clear that this is what we must do to improve the status quo. I think the average user is horribly confused by both the toggle model and the need to install additional software into Firefox (or conversely, the need to *also* install Tor software onto their computers after they install Torbutton). I also think that the average user is not likely to use this software safely. They are likely to log in to sites over Tor that they shouldn't, forget which tor mode they are in, and forget which mode certain tabs were opened under. These are all nightmare situations for anonymity and privacy. On the technical side, several factors are forcing us in the direction of a short-term fork of Firefox. The over-arching issue is that the set of bugfixes required to maintain the toggle model is a superset of those required to maintain the Browser Model, and contains some rather esoteric and complicated issues that are unlikely to ever get fixed. See https://www.torproject.org/torbutton/en/design/#FirefoxBugs for both lists. This means more resistance from Mozilla to get the Toggle Mode bugs fixed or even merged, less likelihood they will be used elsewhere, and more danger they will succumb to bitrot. Related to this, the lag time for normal Firefox bugs between authorship and deployment can be as long as 3 years (and counting). See for example: https://bugzilla.mozilla.org/show_bug.cgi?id=280661 The Tor Browser bugs on the other hand are more directly usable by Firefox in its own Private Browsing Mode, which makes them more likely to merge quicker, and be maintained long-term. Also, because we will be releasing our own Firefox-based browser, we will also have more control over experimenting with them and deploying these fixes to our users rapidly, as opposed to waiting for the next Firefox release. So, we can either invest effort in improving the UI of Torbutton to better educate users to understand our particular rabbit-hole tunnel vision of design choices, as well as solve crazier Firefox bugs; or we can reconsider our user model and try to simplify our software. We don't have the manpower (ie: enough me) to do both. I think this means we should go with the simpler option. The reason I am discussing this in so much detail here is because I believe there is a chance that there are users out there who rely on the toggle model and/or their OS Firefox build, and may be confused or enraged by the new model. I'm asking this list to get an idea of how many of those users there are, and to try to understand what the overall costs of this sort of migration are. I also ask this because I am a heavy user of the toggle model myself, and abandoning it is sort of a leap of faith for me, too. So can anyone bring up any specific issues that may be caused by the change? We are collecting these issues as child tickets of this bug: https://trac.torproject.org/projects/tor/ticket/2880 As an aside, we also are collecting a similar set of issues for the removal of an HTTP proxy entirely from the tor distribution: https://trac.torproject.org/projects/tor/ticket/2844 -- Mike Perry Mad Computer Scientist fscked.org evil labs
Attachment:
pgpsXmoEEgqDt.pgp
Description: PGP signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk