[tbb-bugs] #28259 [Applications/Tor Browser]: Is not saving history hurting Tor Browser retention rates?
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Feb 14 17:55:25 UTC 2019
#28259: Is not saving history hurting Tor Browser retention rates?
-------------------------------------------------+-------------------------
Reporter: arthuredelstein | Owner: tbb-
| team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: gallagher2018, ux-team, tbb- | Actual Points:
usability |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by kevun):
Hello! Author of the paper in question, here.
Addressing the comments of gk and pospeselr, I think if saving history and
offering a password manager were available in the Tor Browser, it should
definitely be dependent on the threat model of the user. I think there are
many threat models in which considering a local adversary makes perfect
sense, and that the encryption of the information such as history and
passwords is not always enough to protect people with a local adversary in
certain regimes, such as the UK and others, where mandatory key disclosure
is a tool that law enforcement could use to destroy anonymity, or hold
people who have encrypted histories in prison indefinitely. However, in
other regimes that do not have mandatory key disclosure laws, such as the
US, encryption is enough to protect the history and passwords of the
person using the Tor Browser.
However, for people who do not have a local adversary, the concept of disk
avoidance in the TB design document does not make much sense. It makes TTB
less usable than other browsers for no real benefit.
The original context in which I proposed this solution in the paper was to
have an "adversary wizard" such that people could choose their
adversary/adversaries and have the disk avoidance features turn on and off
for them, based on their selections. If that is too burdensome or not
realistic, however, it may simply be sufficient to have an option to allow
disk avoidance in preferences, with having the safer option (not storing
history or passwords) as the default. I want TTB to be more usable,
certainly, but security is most definitely the primary priority in my
mind.
Either way, I don't think that this should be an option that remains
unconfigurable for the average person using Tor. It may be possible to
have three settings for this:
1) Default, current setting. Disk avoidance remains.
2) Disk avoidance is turned off, and all history is encrypted and requires
a passphrase at TTB launch.
3) Disk avoidance is turned off, no encryption is used and no passphrase
is required. (I don't like this one, but I could see some users who
***really*** aren't worried about local adversaries requesting it).
However, there are pros and cons to each of these settings. I think
they're worth discussing in more detail, for anyone who is interested in
weighing in.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28259#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list