[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #23247 [Applications/Tor Browser]: Communicating security expectations for .onion: what to say about different padlock states for .onion services
#23247: Communicating security expectations for .onion: what to say about different
padlock states for .onion services
--------------------------------------+--------------------------
Reporter: isabela | Owner: tbb-team
Type: project | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ux-team | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Changes (by phw):
* cc: phw (added)
Comment:
The following SOUPS 2016 paper seems very relevant to this ticket. It was
written by people from the Chrome security team and their work resulted in
the indicators we see in Chrome today:
https://www.usenix.org/system/files/conference/soups2016/soups2016-paper-
porter-felt.pdf
I skimmed parts of the paper and found the following two takeaways
relevant:
Section 1:
> The indicator's meaning needs to be taught with words when possible.
Millions of new Internet users have recently come online via smartphones
without learning "standard" iconography from desktop browsers.
We may also want to change the text next to the onion icon. In the paper,
in Table 4, they evaluated what string users most associate with security
and "secure" won, closely followed by "https," which they deemed too
technical. Another of their candidates was "secure and private" which may
be suitable in our case. I worry that just replacing the lock icon with an
onion may not make it clear what's different -- in particular because
onions are typically not associated with security.
Section 3.1:
> Making major modifications to this [lock] symbol, such as using a
different object, may be disorienting: users now expect to find a lock in
a browser window.
I wonder if the presence of an onion will confuse some people? Another way
forward would be to use the lock icon for onion services too but change
the string from "secure" to "secure and private."
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23247#comment:26>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs