Opened 5 years ago

Last modified 21 months ago

#11406 new enhancement

UI for ExitNode country selection in tor-launcher

Reported by: mttp Owned by: brade
Priority: Low Milestone:
Component: Applications/Tor Launcher Version:
Severity: Normal Keywords: tbb-usability, tbb-helpdesk-frequent
Cc: mcs, adrelanos@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Users often want to know how to make it appear they are coming from a certain country. There should be a more usable way of doing this than manually adding an ExitNodes line in the Tor Browser's torrc. The country code interface should have a clear warning that setting a country will make you less anonymous.

Child Tickets

Change History (20)

comment:1 Changed 5 years ago by mttp

Priority: normalminor

comment:2 Changed 5 years ago by mcs

Cc: mcs added

comment:3 Changed 5 years ago by cypherpunks

It would be useful if the effect of this setting were only temporary, i.e. if there were an option "make me appear to be in country XY until I next click 'new identity'".

That would probably be a better trade off between anonymity and functionality.

I suspect that typically, users don't need to appear to be coming from a given country all the time; they only need this feature to access certain sites.

comment:4 Changed 5 years ago by mttp

What should be the requirements for countries that are listed as possible options? Listing all countries will make users mad when they choose a country with no exits. If the criteria were "All countries with an exit node," users might pick a country that had exits, but no exits that exit on port 80 or port 443. If the criteria were "all countries with at least one exit node that exits on 80 an 443", users might pick a country with only one really slow exit, and get confused when their circuits stall/fail. My preference is for "all countries with more than one fast exit according to compass". This would probably require that the possible country choices get updated at some point in the future as the network grows.

comment:5 Changed 5 years ago by mttp

This can't be a drop down menu. The interface needs to support the use case where the user has manually edited their torrc to list multiple exit node country codes. When this happens, the user interface should accurately reflect tor's actual configuration.

Checkboxes might work, with checkboxes for each country with web facing exits. The interface might also need a validated type-in box for "other" if the user really wants to try to set tor to exit in a country without an exit, but maybe not.

comment:6 Changed 5 years ago by mttp

Summary: Country code drop down menu in tor-launcherUI for ExitNode country selection in tor-launcher

comment:7 Changed 5 years ago by mttp

Requiring an 'other' checkbox seems like it would add unnecessary complexity to the selection interface. A simpler approach would be one text field, similar to the "Allowed Ports" firewall field that separates entries by commas. The user could be trained to enter country codes and surround them with braces if an informative label or table object was included that associated each country with a web facing exit with the expected input format.

Last edited 5 years ago by mttp (previous) (diff)

comment:8 Changed 5 years ago by mttp

It looks like this enhancement is blocked by #10425. I guess we need to wait until setting Tor's ExitNode option works as expected.

comment:9 in reply to:  8 ; Changed 5 years ago by brade

Replying to mttp:

It looks like this enhancement is blocked by #10425. I guess we need to wait until setting Tor's ExitNode option works as expected.

mttp: Can you explain why this is blocked by the missing geoip6 file? Are there many ipv6 nodes? I was able to use the following to get US exit nodes:

GeoIPExcludeUnknown 1
ExitNodes {US}

comment:10 in reply to:  9 ; Changed 5 years ago by mttp

Replying to brade:

I was able to use the following to get US exit nodes:

GeoIPExcludeUnknown 1
ExitNodes {US}

I'll suggest this config to the help desk users that say setting ExitNodes with a country doesn't always cause them to exit in the country they set. If problems persist, I'll elaborate on the tbb-dev list. Great!

comment:11 Changed 5 years ago by lunar

I don't think this is a good idea. Can we really encourage users to tweak the path selection algorithm? Maybe that's just elitism, but I'd rather leave such options hard to discover as we have good intuition that it skews anonymity…

comment:12 in reply to:  8 ; Changed 5 years ago by arma

Replying to mttp:

It looks like this enhancement is blocked by #10425. I guess we need to wait until setting Tor's ExitNode option works as expected.

To be clear, #10425 is about the ipv6 geoip file. Not the "normal" geoip file. That is, I believe Tor's ExitNode option currently does work as expected.

comment:13 in reply to:  10 Changed 5 years ago by arma

Replying to mttp:

I'll suggest this config to the help desk users that say setting ExitNodes with a country doesn't always cause them to exit in the country they set. If problems persist, I'll elaborate on the tbb-dev list. Great!

What evidence do those users have? In the past, users would use Vidalia to visualize their circuits, and Vidalia never distinguished between internal circuits and exit circuits, so when Vidalia built a preemptive hidden service circuit whose final hop wasn't in the country the users wrote in their ExitNodes line, they would freak out and think ExitNodes wasn't working. Maybe these users are doing something similar here? Or maybe they are editing the wrong torrc file?

comment:14 in reply to:  11 ; Changed 5 years ago by arma

Replying to lunar:

I don't think this is a good idea. Can we really encourage users to tweak the path selection algorithm? Maybe that's just elitism, but I'd rather leave such options hard to discover as we have good intuition that it skews anonymity…

Actually, my main reason for not being a fan of making this easy is because of all the users who want to use Tor to get around geoip restrictions, and historically that has been associated with higher bandwidth load (hulu, bbc video, etc). "If you want a vpn to pretend you're in England, go use one."

I think the 'skewing anonymity' part applies more to the people who _exclude_ certain countries because of various superstitions (or because of real genuine fears about those countries, but misunderstandings about Internet routing).

That said, there are a growing number of services like banks, paypal, etc that really mess up your life if you show up from an unexpected country. But on the third hand, it's not clear to me that a little checkbox off to the side in tor launcher is going to by itself help enough of the users who are having these problems.

Matt, what use cases did you have in mind here?

comment:15 in reply to:  12 Changed 5 years ago by mttp

Replying to arma:

To be clear, #10425 is about the ipv6 geoip file. Not the "normal" geoip file. That is, I believe Tor's ExitNode option currently does work as expected.

Ok, maybe I've confused the issue then. But I do frequently (twice per week maybe) see emails from Tor Browser users who aren't using Vidalia who say that they've set the ExitFlag and they don't appear to be exiting from the country they've set in their torrc. I think this is a separate issue though, so maybe it needs a separate ticket? Or maybe this conversation should be moved to a mailing list or IRC?

comment:16 in reply to:  14 ; Changed 5 years ago by mttp

Replying to arma:

Replying to lunar:

I don't think this is a good idea. Can we really encourage users to tweak the path selection algorithm? Maybe that's just elitism, but I'd rather leave such options hard to discover as we have good intuition that it skews anonymity…

Actually, my main reason for not being a fan of making this easy is because of all the users who want to use Tor to get around geoip restrictions, and historically that has been associated with higher bandwidth load (hulu, bbc video, etc). "If you want a vpn to pretend you're in England, go use one."

I think the 'skewing anonymity' part applies more to the people who _exclude_ certain countries because of various superstitions (or because of real genuine fears about those countries, but misunderstandings about Internet routing).

That said, there are a growing number of services like banks, paypal, etc that really mess up your life if you show up from an unexpected country. But on the third hand, it's not clear to me that a little checkbox off to the side in tor launcher is going to by itself help enough of the users who are having these problems.

Matt, what use cases did you have in mind here?

Setting the country that Tor appears to be exiting from is a common help desk request. This is functionality that used to be available to users graphically through Vidalia but no longer is. Reintroducing this option into the UI would help make Tor Browser users less reliant on the help desk and more knowledgeable about how Tor works.

Users think Tor can do this, they are right, but when they don't find a way to do this in Tor Browser's interface they go searching for a solution, not on our website, but on Google, which takes them to arbitrary blog/forum posts that say who knows what. By keeping the ExitNodes flag within Tor itself, but withholding an intuitive way to set this popular option, we are encouraging this dangerous workflow (dangerous because the bloggy magicians may tell users that they should set various other options that don't serve users).

I do not know the reason that this functionality is so frequently requested, but the request is usually for setting one country as an exit---requests for how to exclude countries are less frequent (and I don't think would be addressed in this feature anyway). My sense is that this feature would indeed often be used to circumvent GeoIP restrictions for video sites like YouTube, but it would also be used to post on location-specific forums such as nairaland.com or sportal.com.au.

Forcing Tor Browser users into a headache-inducing workflow does not serve the users.

comment:17 in reply to:  16 ; Changed 5 years ago by arma

Replying to mttp:

This is functionality that used to be available to users graphically through Vidalia but no longer is.

I think this part isn't true? That is, I think Vidalia never had any such support for setting ExitNodes?

Forcing Tor Browser users into a headache-inducing workflow does not serve the users.

Hm. I guess this is indeed the question at hand.

(Also, writing the country code is likely to screw users up, since they e.g. write {UK} and wonder why it isn't England.)

comment:18 in reply to:  17 Changed 5 years ago by mttp

Replying to arma:

Replying to mttp:

This is functionality that used to be available to users graphically through Vidalia but no longer is.

I think this part isn't true? That is, I think Vidalia never had any such support for setting ExitNodes?

Oops.
(Maybe I was thinking of the easier torrc editing abilities. Which would also be nice, but, of course, is something else entirely.)

Forcing Tor Browser users into a headache-inducing workflow does not serve the users.

Hm. I guess this is indeed the question at hand.

Point taken.

(Also, writing the country code is likely to screw users up, since they e.g. write {UK} and wonder why it isn't England.)

My thought was to have an educational label that associated the countries with web-facing exit relays (not that long of a list unfortunately) with their country codes. This could be modified later as needed.

The other thought was to have a label encouraging users not to configure their exit node unless they knew they needed to. The phrasing would need to be worked out. Maybe that's too many labels though.

comment:19 Changed 5 years ago by proper

Cc: adrelanos@… added

comment:20 Changed 21 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.