Re: [tor-bugs] #20264 [Applications/Tor Browser]: Reduce number of security slider states from 4 to 3 (proposed)

[Tor Bug Tracker & Wiki]

#20264: Reduce number of security slider states from 4 to 3 (proposed)
-+-
 Reporter:  arthuredelstein  |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  closed
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:  tbb-security-slider, |  Actual Points:
  TorBrowserTeam201611R  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by boklm):

 I created #20626 for the tests update.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20264 [Applications/Tor Browser]: Reduce number of security slider states from 4 to 3 (proposed)

[Tor Bug Tracker & Wiki]

#20264: Reduce number of security slider states from 4 to 3 (proposed)
-+-
 Reporter:  arthuredelstein  |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  closed
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:  tbb-security-slider, |  Actual Points:
  TorBrowserTeam201611R  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * status:  needs_review => closed
 * cc: boklm (added)
 * resolution:   => fixed


Comment:

 Looks good to me. bolkm, our slider tests need to get updated I think.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20264 [Applications/Tor Browser]: Reduce number of security slider states from 4 to 3 (proposed)

[Tor Bug Tracker & Wiki]

#20264: Reduce number of security slider states from 4 to 3 (proposed)
-+-
 Reporter:  arthuredelstein  |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security-slider, |  Actual Points:
  TorBrowserTeam201610R  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by mcs):

 Kathy and I reviewed the 20264+1 patch and it looks okay to us (of course
 gk should also review it because it would be bad to ship a a buggy
 security slider).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20264 [Applications/Tor Browser]: Reduce number of security slider states from 4 to 3 (proposed)

[Tor Bug Tracker & Wiki]

#20264: Reduce number of security slider states from 4 to 3 (proposed)
-+-
 Reporter:  arthuredelstein  |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security-slider, |  Actual Points:
  TorBrowserTeam201610R  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by arthuredelstein):

 Here's a new version of the patch, rebased onto my 20347+1 patch:
 ​https://github.com/arthuredelstein/torbutton/commit/20264+1

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20264 [Applications/Tor Browser]: Reduce number of security slider states from 4 to 3 (proposed)

[Tor Bug Tracker & Wiki]

#20264: Reduce number of security slider states from 4 to 3 (proposed)
-+-
 Reporter:  arthuredelstein  |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security-slider, |  Actual Points:
  TorBrowserTeam201610R  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by arthuredelstein):

 * keywords:  tbb-security-slider => tbb-security-slider,
 TorBrowserTeam201610R
 * status:  new => needs_review


Comment:

 Here's a patch for review:
 https://github.com/arthuredelstein/torbutton/commit/20264

 It depends on the patch proposed for #20347.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20264 [Applications/Tor Browser]: Reduce number of security slider states from 4 to 3 (proposed)

[Tor Bug Tracker & Wiki]

#20264: Reduce number of security slider states from 4 to 3 (proposed)
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security-slider   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by bugzilla):

 Replying to [comment:6 arthuredelstein]:
 > Replying to [comment:5 bugzilla]:
 > > > Also I think the current Medium-High is probably the best compromise
 for most users who are sophisticated enough to adjust the security slider.
 > > You think correctly, but it shows that TBB is still a compromise :(.
 > There is an inherent tension between security and usability in any
 browser -- a compromise is unavoidable. The slider is there to give the
 user some choice in the compromise they wish to make. If there were no
 tension, there would be no slider.
 Compromise is that the user wants to set High, but has to use Medium-High,
 because of e.g. #20314 and #17637.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20264 [Applications/Tor Browser]: Reduce number of security slider states from 4 to 3 (proposed)

[Tor Bug Tracker & Wiki]

#20264: Reduce number of security slider states from 4 to 3 (proposed)
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security-slider   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by arthuredelstein):

 Replying to [comment:5 bugzilla]:
 > > Also I think the current Medium-High is probably the best compromise
 for most users who are sophisticated enough to adjust the security slider.
 > You think correctly, but it shows that TBB is still a compromise :(.
 There is an inherent tension between security and usability in any browser
 -- a compromise is unavoidable. The slider is there to give the user some
 choice in the compromise they wish to make. If there were no tension,
 there would be no slider.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20264 [Applications/Tor Browser]: Reduce number of security slider states from 4 to 3 (proposed)

[Tor Bug Tracker & Wiki]

#20264: Reduce number of security slider states from 4 to 3 (proposed)
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security-slider   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by bugzilla):

 Replying to [ticket:20264 arthuredelstein]:
 > Something we talked about at the Seattle meeting is the possibility of
 having only 3 allowed security slider states: Low, Medium and High.
 Lo-Mid-Hi, let's make security as easy as consumer-grade electronics :)
 (No, it will never be as easy, it's just a false sense of security.)
 > We would migrate users at Medium-Low to Medium-High and rename the
 latter to Medium. It seems such a change would improve usability and
 security.
 Usability - by removing two-word names :), security - by removing one JS-
 MitM-enabled position, and privacy - by reducing fingerprinting.
 > Also I think the current Medium-High is probably the best compromise for
 most users who are sophisticated enough to adjust the security slider.
 You think correctly, but it shows that TBB is still a compromise :(. Every
 higher setting should include everything from previous (including
 flexibility) and shouldn't degrade in security options (I'll file separate
 tickets for those issues).
 > Discuss! :)
 The other teams prohibit to use bugtracker for discussions, but TBB Team
 encourages :)
 (It's good when no forum, but could be bad when no moderation.)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20264 [Applications/Tor Browser]: Reduce number of security slider states from 4 to 3 (proposed)

[Tor Bug Tracker & Wiki]

#20264: Reduce number of security slider states from 4 to 3 (proposed)
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security-slider   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by fem):

 I think it's a good idea as the only difference between Medium-Low and
 Medium-High is that Medium-Low disables some JS performance optimizations
 (ION JIT, Type Inference, ASM.JS) while Medium-High disables all js
 optimizations (..., Baseline JIT) in addition to all js on non-https sites
 by default and SVG OpenType font rendering.

 The differences with Low would then be that Medium makes html5 media
 click-to-play, disables MathML and blocking JAR files (which there's
 another ticket open discussing dropping the option from the slider,
 enabling it by default).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20264 [Applications/Tor Browser]: Reduce number of security slider states from 4 to 3 (proposed)

[Tor Bug Tracker & Wiki]

#20264: Reduce number of security slider states from 4 to 3 (proposed)
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security-slider   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by mcs):

 I also believe that reducing the choices from four to three makes sense in
 terms of usability. Looking at what is different between Medium-Low and
 Medium-High, the only setting that I am a little worried about is
 `javascript.options.baselinejit.content = false`. I don't know if that
 reduces JS performance enough that users will dislike Medium-High.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20264 [Applications/Tor Browser]: Reduce number of security slider states from 4 to 3 (proposed)

[Tor Bug Tracker & Wiki]

#20264: Reduce number of security slider states from 4 to 3 (proposed)
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security-slider   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by gk):

 I think this is a good idea. I am not sure yet, though, whether we should
 put that on our October plate given all the loose ends with our SponsorU
 funding. But it could be something for Tor Browser 6.5. Adapting the code
 for just 3 settings for Android should not be that hard.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20264 [Applications/Tor Browser]: Reduce number of security slider states from 4 to 3 (proposed)

[Tor Bug Tracker & Wiki]

#20264: Reduce number of security slider states from 4 to 3 (proposed)
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security-slider   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by arthuredelstein):

 * cc: amoghbl1 (added)


Comment:

 Also, it might be good to figure this out soon given that Amogh is porting
 the security slider to Android.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #20264 [Applications/Tor Browser]: Reduce number of security slider states from 4 to 3 (proposed)

[Tor Bug Tracker & Wiki]

#20264: Reduce number of security slider states from 4 to 3 (proposed)
--+
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal|   Keywords:  tbb-security-
  |  slider
Actual Points:|  Parent ID:
   Points:|   Reviewer:
  Sponsor:|
--+
 Something we talked about at the Seattle meeting is the possibility of
 having only 3 allowed security slider states: Low, Medium and High. We
 would migrate users at Medium-Low to Medium-High and rename the latter to
 Medium. It seems such a change would improve usability and security. Also
 I think the current Medium-High is probably the best compromise for most
 users who are sophisticated enough to adjust the security slider.

 Discuss! :)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs