Tor Browser should be visually distinguished from Firefox to prevent user error

added component::applications/tor browser owner::tbb-team priority::very low reporter::ageisp0lis severity::normal status::new tbb-usability type::enhancement ux-team labels

Trac:
Username: ageisp0lis

Side-by-side comparison of TorBrowser and Firefox on Debian Linux running Gnome

Trac:
Username: ageisp0lis

There is a cost here to be kept in mind: The better the distinction between vanilla Firefox and the Tor Browser is, the easier it is for users to get identified as Tor Browser users if someone looks over their shoulders.

See #10642 (closed) for additional input.

Trac:
Version: Tor: unspecified to N/A
Keywords: Tor Browser Bundle deleted, tbb-usability added

Subscribing

Trac:
Username: dwt

Replying to ageisp0lis:

More than once, I have had multiple browsers open (in this example, let's say both Tor Browser and Firefox due to their similarity) and have mixed them up, for example logging into accounts or entering information I intended to keep compartmentalized only transmitted over the Tor network. In situations where OPSEC is important, such a mistake can be very costly indeed.

This led me to give some thought to the idea that the Tor Browser should be more visually distinct to prevent this type easily committed user error that can compromise privacy and security in potentially disastrous situations. At present, the title bar and onion logo are the main distinguishing features that allow a Desktop user to know which environment they are working in. In my opinion, that's not enough. Is there anything more that can be done to customize TorBrowser's UI?

Any thoughts or ideas about this? You shouldn't use both Tor Browser and Firefox, use just Tor Browser. This helps both Tor and you.

Replying to gk:

There is a cost here to be kept in mind: The better the distinction between vanilla Firefox and the Tor Browser is, the easier it is for users to get identified as Tor Browser users if someone looks over their shoulders.

Agree strongly. It is important to me that I can press 'F11' to full screen Tor Browser and it look similar to Firefox or vaguely similar to IE. If we must make Tor Browser obviously Tor (and I don't agree with this), please include an option to turn it off. I am sometimes in a position where if someone could see I'm using Tor Browser, it could cause problems.

Bringing in my comment from #10642 (closed):

-- snip --

The Tor browser should have a clear visual distinction to the normal browser, to help prevent the user mixing it up with the normal Firefox instance he is running and thus inadvertently loosing anonymity without wanting to. I know myself, I will mix this up many times, so I need all the help I can get in not getting the two confused and giving up my privacy without wanting to.

I see several facets here:

For me as a user who does not need to fear shoulder surfing or imminent inspection of my machine from an adversary, a firefox theme that is clearly marked as TOR is perfect. Examples https://addons.mozilla.org/en-US/firefox/addon/tor-browser-c/ https://addons.mozilla.org/en-US/firefox/addon/tor-browser-b/ I would prefer something a little better integrated with system colors though for improved readability.
For a user who has to fear shoulder surfing something more subtle would be preferable, I would suggest something that is visually very distinct but doesn't hint at the TorProject directly. When you install TorBrowser for the first time, it already asks some setup questions (like: do you need a proxy). That would be a good time to offer a choice of themes to. Perhaps asking for a threat profile is a bit much. The end result should however definitely be that the Tor Browser is visually very distinct to the regular browser.

-- snap --

In response to cypherpunks:

It is a luxury to be able to only use Tor browser that I do not have and also one that I do not think is sensible. If I want to appear in Public with my name, I do not want to use the Tor-Browser because I want to absolutely make sure that there is no tracking that can link my public name to any of the secret identities. So especially for operational security I think it is important that the two can easily be made visually distinct.

I do agree that doing it via Theme and having an obvious advertising for the Tor-Browser is not the right thing for every circumstance, so perhaps something more subtle should be the default. Still it should be different than standard Firefox. I would argue that the fact that Firefox is already theme able and that themes are used by many people gives enough plausible deniability for a different theme to make this a viable option for the Tor project.

Trac:
Username: dwt

Using only TBB and not Firefox is not practical for all users, for many reasons. I'm talking about compartmentalizing information and activity, even identities, in different browsers. That's the way many people need to work.

A theme that makes it more distinguished from Firefox would be perfect, and dwt's suggestion of a 'subtle' option for those concerned about shoulder surfing is a great idea. So yeah, optional theme selected during setup.

I agree with the rest of the comments.

Trac:
Username: ageisp0lis

I've just had a nice chat with Jakob Appelbaum at CCC in Berlin and learned that he wholeheartedly supports the cause of this bug.

In chatting with people here one raised the argument that TorBrowser currently doesn't protect against shoulder surfing either (because it displays a huge 'you are using TorBrowser' screen upon startup).

Thus a good first step would be to choose a really obvious theme to really ensure that you do not mistake a TorBrowser window for a regular Firefox window.

Then add another more subtle theme later as another patch to allow some choice when describing your own threat profile.

Would you guys merge a patch that brings in a default theme like this:

https://addons.mozilla.org/en-US/firefox/addon/tor-browser-c/

I would be happy to provide the patch.

I'd think that the theme would be even better if the 'for' graphic in the upper right a bit smaller and move it to the left, to have less interference with the window manager buttons and the toolbar buttons beneath.

Would you take a patch like that?

Trac:
Username: dwt
Cc: N/A to spamfaenger@gmx.de

I think we can provide an alternate theme as an option, but there is the question of what the default should be, and at what point we should ask the user which they prefer. I would like to avoid asking many questions of the user in the default case, and I am not yet convinced that the default should be a drastically different theme than normal Firefox.

There is also a difference between the homepage telling the user that they are using Tor (which is temporary, and which they can close or navigate away from, or otherwise not always have visible), and making the default always be obvious from a distance at all times.

Suggestions for possible solutions here is welcome. I bet there is a solution that can make everyone happy (especially since we have people willing to put the work into providing it for us), but we need to be a little careful in what form that solution takes, and how and when we present this choice to the user.

Trac:
Cc: spamfaenger@gmx.de to spamfaenger@gmx.de, mcs

Replying to mikeperry:

I am not yet convinced that the default should be a drastically different theme than normal Firefox.

To be effective at all, the difference must be obvious, but that doesn't mean that the entire visual appearance must be changed. Something as simple as changing the icon scheme from default FF could be enough for users, without being obvious to onlookers that something different is happening. The obvious option would be to add a new header background and change icons to be clear that one is using Tor. But this may be tricky for users in an office or internet cafe where people walking past is common.

Impact on user experience could be quite positive if we can iron out the details.

Edit: And I doubt that many users would deviate from TBB's standard theme.

Trac:
Cc: spamfaenger@gmx.de, mcs to spamfaenger@gmx.de, mcs, griffin@cryptolab.net

2 years ago, when Tor Browser was using Firefox Aurora, the menu button on top left was purple, which is also the color of Tor Project's website. It also looked nice, can we at least change that color if possible.

Off-topic: Can the title TorBrowser there be replaced with Tor Browser?

Trac:
Keywords: N/A deleted, needs-triage added

It seems surprisingly hard to create a theme for Firefox. Though it has a facility to do lightweight themes, which would be perfect for this bug, those seemingly cannot be installed from a file and thus cannot be distributed with tor browser.

The obvious alternative is to create a full theme, but that seems to entail copying all internal styles from firefox and re-creating all the changes they applied for their lightweight theme support. Not to mention that this then needs to be recopied and maintained for each new firefox version. :-/ Not pretty. :-/

I'm currently looking into mixed forms, i.e. a Firefox plugin that will install the theme on demand, but I'm not having any luck trying this out, or finding any documentation that explains how this would have to be done. Some guidance would be greatly appreciated.

I'm currently also asking for guidance on the mozilla developer forum - is there any better place to ask about this?

Trac:
Username: dwt

Well, got a good tip on irc.mozilla.org#addons to look at plugins like https://addons.mozilla.org/de/firefox/addon/bob-marley-2014-theme-with-/ which basically uses the lightweight theme manager directly to install a lightweight theme like this from a plugins bootstrap.js

	let lightweightTheme = {
		"custom": true,
		"footerURL": "chrome://<pluginname>/skin/footer.png",
		"headerURL": "chrome://<pluginname>/skin/header.png",
		"accentcolor": "#ffffff",
		"textcolor": "#000000",
		"id": "<pluginname>",
		"name": "Prevent confusing firefox and tor browser windows"
	}
    Components.utils.import("resource://gre/modules/LightweightThemeManager.jsm");	
	LightweightThemeManager.themeChanged(lightweightTheme)

Trac:
Username: dwt

Lightweight themes are quite easy to create (these used to be called Personas). More information: https://developer.mozilla.org/en-US/Add-ons/Themes/Lightweight_themes

The downside here is that it's not possible to change some of the finer details like icons. Creating a full theme isn't impossible, but much like making an extension it's pretty tricky the first time you do it. Official documentation here: https://developer.mozilla.org/en-US/docs/Building_a_Theme

Another option might be to make minor tweaks to a well-maintained free-license theme such as: https://github.com/louischan/simplewhite

As it stands, a lightweight theme might be our best option.

@saint: Thanks for the tips, lightweight Themes it is for me.

I've got a first rough draft up at https://github.com/dwt/tor-browser-improved-distinction-theme and would love some feedback.

To install it you need to add a textfile named after the themes id 'torbrowser-improved-distinction@haecker.me' into your firefox profiles extensions folder and put the full path to the checkout into it.

So something like this:

cd $firefox_profile_folder/extensions
cat $theme_checkout_location > torbrowser-improved-distinction@haecker.me

Then Firefox should ask if you want to install the theme on it's next startup.

Trac:
Username: dwt

Tor Browser should be visually distinguished from Firefox to prevent user error

Child items 0

Activity