[tor-dev] Rethinking Bad Exit Defences: Highlighting insecure and sensitive content in Tor Browser

Jeremy Rand jeremyrand at airmail.cc
Sun Apr 2 02:46:51 UTC 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Tom Ritter:
> It seems reasonable but my first question is the UI. Do you have a 
> proposal?  The password field UI works, in my opinion, because it 
> shows up when the password field is focused on. Assuming one uses
> the mouse to click on it (and doesn't tab to it from the username)
> - they see it.
> 
> How would you communicate this for .onion links or bitcoin text?
> These fields are static text and would not be interacted with in
> the same way as a password field.
> 
> A link could indeed be clicked - so that's a hook for UX... A
> bitcoin address would probably be highlighted for copying so that's
> another hook... But what should it do?
> 
> -tom

Bitcoin has a URL scheme that is increasingly used, so the UI
mechanism could be the same as for .onion links.  However, for both
.onion links and for bitcoin: links, there's a risk that the website
will simply ask the user to manually copy the .onion URL or Bitcoin
address -- I doubt that most users will recognize this as an attempt
to evade detection.  So any UI mechanism will probably need to
recognize any string that looks like a .onion URL or a Bitcoin
address, even if they're not links.

Cheers,
- -- 
- -Jeremy Rand
Lead Application Engineer at Namecoin
Mobile email: jeremyrandmobile at airmail.cc
Mobile PGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C
Send non-security-critical things to my Mobile with PGP.
Please don't send me unencrypted messages.
My business email jeremy at veclabs.net is having technical issues at the
moment.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJY4GYXAAoJELPy0WV4bWVwz60P/2cOYAiRLaTx5wjy+pyqQCUn
N4+mZv9+YmW7OiqJKEylywyTcdhLeAAVlQPafawvN+9K1EObqiF5GtHdHOaOE+EJ
43iUbpRzMsZOlPGspP6YUrJw6zjLev021qMyyZv1r0EMPgi3d+jbfvrgPHcgw7AD
aA5hDy1bVAoLovwIWL1w/62MK+gsMHroE3oDOYNI3i6uLJHVtsdTdCVit8rwshey
BKOBY0xgh2pvMDGwB4hdK4K0GHAUcef6ErDXhrpKFPDjuJnLi6g5i3oPbgaI9YuR
ONIb3eK2K81oblpEmRxQgEJHby7sMKfqRqpsabcTDn6WUlN0z91JTqRtJWvyZYYC
rabdeLrEqlOA7IGG7S4w3hUlWi7Ql/iwUM3/9b3SNztwcWrC/VmCjDPpiZ/aJpI9
QP5/Y2SC5TYQ0+DRLe3HynI/zc5WHpRW6TU570BnJc+V5Y1uf8GH2g6WMNRegTKm
++cCx2SLGn2CaqHCubos7FVtx2Yi443vlL9kNE1bgsZIZBa8PGx6m3MjpZ8K9NLt
e1HkTbCGQaB09pVvMMRiazqc6r3sJcvogcmdct21P6ElyEW4D9L+grWqESNSM+gm
mlAIrMsfYeZnpl7vgmKVQ2TqirCxvLMA0movYjhISkyKIsPTSHc8Qoc00WHt2MvX
lus5voupc4tmsDtB/8z0
=L3v2
-----END PGP SIGNATURE-----


More information about the tor-dev mailing list