Re: [tor-bugs] #25197 [Applications/Tor Browser]: Design document isn't precise about "Security" and "Privacy".

[Tor Bug Tracker & Wiki]

#25197: Design document isn't precise about "Security" and "Privacy".
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-spec  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by gk):

 * parent:  #25021 =>


Comment:

 Let's make this update cycle not harder than it already is and postpone
 this ticket but we should get to it after some thinking.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25197 [Applications/Tor Browser]: Design document isn't precise about "Security" and "Privacy".

[Tor Bug Tracker & Wiki]

#25197: Design document isn't precise about "Security" and "Privacy".
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-spec  |  Actual Points:
Parent ID:  #25021| Points:
 Reviewer:|Sponsor:
--+--

Comment (by traumschule):

 comment:5:ticket:25021 mentions to explain better why extensions can be
 harmful, both for security (preventing exploits) and preventing
 fingerprintability as one danger to privacy, next to leaks of personal
 information. Maybe this is good example to differentiate these concepts.

 Also trackers are a tricky topic that should be covered because
 "deactivate javascript" is the common answer to browse more safely (higher
 security), but it leads to the wrong assumption, that it helps against
 tracking (privacy) while IIUC it does not help against web bugs like
 hidden images or other resources on third party domains etc (only if
 loaded by scripts).

 This is especially important because many users (including myself) are
 trained to install "essential extensions" for privacy:
 https://riseup.net/en/better-web-browsing
 https://riseup.net/en/security/network-security/better-web-browsing
 /browser-score-card

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25197 [Applications/Tor Browser]: Design document isn't precise about "Security" and "Privacy".

[Tor Bug Tracker & Wiki]

#25197: Design document isn't precise about "Security" and "Privacy".
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-spec  |  Actual Points:
Parent ID:  #25021| Points:
 Reviewer:|Sponsor:
--+--

Comment (by arthuredelstein):

 Replying to [comment:4 gk]:

 Just to give what I think is an important anecdote: in my experience,
 *many* people already think the higher settings of the "Security Slider"
 are designed to provide more "privacy protections" such as fingerprinting
 resistance.

 If we want to keep the distinction clear that the slider is not about the
 things in 2.1, I think it will be helpful to use consistent and specific
 terminology, regardless of the context, especially as not everyone is
 going to read the whole document.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25197 [Applications/Tor Browser]: Design document isn't precise about "Security" and "Privacy".

[Tor Bug Tracker & Wiki]

#25197: Design document isn't precise about "Security" and "Privacy".
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-spec  |  Actual Points:
Parent ID:  #25021| Points:
 Reviewer:|Sponsor:
--+--

Comment (by gk):

 Before the advent of the security slider "code security" was not on the
 radar of the design document. It's aim was (and still to a large extent
 is) to describe what we think a Private Browsing Mode should look like,
 not what a whole browser should look like. In that context "security
 requirements" and "privacy requirements" had/have some particular meaning.

 So, in that regard I think this bug is not really valid, especially as it
 is quite clear in the document what is meant with those concepts. Sure, it
 gets tricky once one does not have the PBM scope of the document in mind,
 but that's not unexpected.

 Now, I am fine if we want to refocus slightly and getting the bigger
 picture into the document which started with the security slider (and
 mentioning it in our design doc) and is intensifying with our planned
 sandboxing efforts.

 I don't want to give up on the distinction made between security and
 privacy requirements per se as that one seems useful. But I think we can
 relabel those. I've been thinking about:

 "security requirements" -> "safety requirements"
 "privacy requirements" -> "unlinkability requirements"

 both under the umbrella of what we would commonly call Private Browsing
 Mode and thus, they are privacy requirements.

 We can call the other one "code security" and put into it the slider but
 as well the updater we deploy and the update notifications over
 Tor(button). Later on all our sandboxing efforts can get into that part,
 too.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25197 [Applications/Tor Browser]: Design document isn't precise about "Security" and "Privacy".

[Tor Bug Tracker & Wiki]

#25197: Design document isn't precise about "Security" and "Privacy".
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-spec  |  Actual Points:
Parent ID:  #25021| Points:
 Reviewer:|Sponsor:
--+--
Changes (by arthuredelstein):

 * parent:   => #25021


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25197 [Applications/Tor Browser]: Design document isn't precise about "Security" and "Privacy".

[Tor Bug Tracker & Wiki]

#25197: Design document isn't precise about "Security" and "Privacy".
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-spec  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by arthuredelstein):

 Code security or implementation security are more precise, but I feel they
 have the drawback that they may not mean much to users who are not
 programmers themselves.

 Right now the Security Slider uses the terms "Standard", "Safer",
 "Safest". So we could call it the Safety Slider instead. (It's really a
 Safety-Usability tradeoff slider.) But again, Safety is not entirely
 distinct from Privacy.

 It might be good on the Security Slider itself, to say something like "All
 Privacy Protections are active at every level."

 Interestingly, I just noticed it says on the [https://tb-
 manual.torproject.org/en-US/security-slider.html Security Slider page] in
 the Tor Browser manual:

 > Tor Browser includes a “Security Slider” that lets you increase your
 security by disabling certain web features that can be used to attack your
 security and anonymity.

 Mentioning anonymity here seems to imply that dialing privacy protections
 is a purpose of the Slider, which is true in a technical sense but not our
 intention.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25197 [Applications/Tor Browser]: Design document isn't precise about "Security" and "Privacy".

[Tor Bug Tracker & Wiki]

#25197: Design document isn't precise about "Security" and "Privacy".
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-spec  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by arma):

 This ticket started when I saw tor browser devs saying things like "that's
 security, not privacy", which is a recipe for confusion in our modern "you
 have to choose between security and privacy" world.

 I think we have been using two notions:

 * Code security, or implementation security, which is about whether the
 browser can be exploited, which of course then could lead to
 deanonymization, identification, etc.

 * Privacy, which includes fingerprinting defense, but also proxy bypass
 defense, so in a sense it's all of the ways that things can go wrong for
 the user without implementation bugs.

 Our name "security slider" is strictly supposed to be the first one. That
 is, all settings of the security slider are intended to provide all of our
 privacy protections. That is, if a Tor Browser dev ever says "well you set
 your security slider to low so i figured i shouldn't enable that expensive
 tracking protection", then that is a mistake.

 (Arthur correctly points out that reducing surface area, which primarily
 aims to reduce exposure to implementation bugs aka exploits, can also
 improve things against fingerprinting and tracking and so on. That blurry
 line certainly confuses the issue, but it doesn't by itself mean we aren't
 talking about two different topics.)

 The suggestion in this ticket is to (a) have a section towards the top of
 the design doc explaining this distinction between the two goals, and then
 (b) make sure that the rest of the design doc uses these two goals
 correctly, i.e. doesn't confusingly switch between one word and the other.

 It's also worth brainstorming more intuitive terms for each of these
 goals. I think "code security" or "implementation security" is a pretty
 good one for the first, but the privacy one is broad enough that it's not
 obvious which term would be best. Let's not let a lack of the best term
 slow us down too much though. :)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #25197 [Applications/Tor Browser]: Design document isn't precise about "Security" and "Privacy".

[Tor Bug Tracker & Wiki]

#25197: Design document isn't precise about "Security" and "Privacy".
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal|   Keywords:  tbb-spec
Actual Points:|  Parent ID:
   Points:|   Reviewer:
  Sponsor:|
--+--
 In Tor Browser, we have a "Security" Slider and various "Privacy"
 features. But these words are not so easily distinguished. Maybe we could
 think of a better words?

 In any case, we should defined the two concepts very clearly in the Design
 document, and we should make sure we don't mix them up. For example,
 section 2.1 is entitled "Security Requirements" but goes on to list what I
 would consider privacy properties and does not include the sort of
 security intended to be provided by the Slider.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs