Opened 4 years ago

Closed 18 months ago

#16665 closed enhancement (fixed)

Circuit visualizer needs a cue about guards

Reported by: lunar Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-usability, tbb-circuit-display, TorBrowserTeam201603, ux-team, tbb-7.0-frequent
Cc: mcs, arthuredelstein, sajolida@…, Spencer, dmr Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

One user came to me really confused about the fact that everytime they used “New identitiy” or “New circuit for this site”, the first Tor node in the circuit was always the same. We probably should add an explanation about guards somewhere close to the circuit visualizer.

Child Tickets

Attachments (2)

Screen Shot 2015-09-25 at 11.28.44 AM.png (59.4 KB) - added by arthuredelstein 4 years ago.
circuit display learn more.png (56.5 KB) - added by mcs 4 years ago.
"Learn More" mockup

Download all attachments as: .zip

Change History (40)

comment:1 Changed 4 years ago by gk

Keywords: tbb-usability added

I think this is a good idea as I see this as a recurring theme in our blog comments, too. I fear, though, that getting the UX right is a non-trivial thing...

comment:2 Changed 4 years ago by lunar

One easy way I could think of is to have something like “89.234.157.254 (France, Guard)” with “Guard” hyperlinked to a good and accessible explanation of guards on Torproject.org website. That last part is tricky, but doesn't require coding.

comment:3 in reply to:  2 ; Changed 4 years ago by yawning

Replying to lunar:

One easy way I could think of is to have something like “89.234.157.254 (France, Guard)” with “Guard” hyperlinked to a good and accessible explanation of guards on Torproject.org website. That last part is tricky, but doesn't require coding.

Instead of something on tpo, maybe about:guards internal to the browser to save on bandwidth would be better.

comment:4 Changed 4 years ago by mcs

Cc: mcs added

comment:5 in reply to:  3 ; Changed 4 years ago by lunar

Replying to yawning:

Instead of something on tpo, maybe about:guards internal to the browser to save on bandwidth would be better.

Do you see any special actions on such page? Like a “Change Guard” button?

(I haven't followed any discussions or progress on a Tor Browser User Manual lately, so I don't know if this would also fits in there, and the bundling question.)

comment:6 in reply to:  5 Changed 4 years ago by yawning

Replying to lunar:

Replying to yawning:

Instead of something on tpo, maybe about:guards internal to the browser to save on bandwidth would be better.

Do you see any special actions on such page? Like a “Change Guard” button?

Not off the top of my head. Forcing a new guard is almost always bad for the user, so I think such feature would do more harm than good ("My tor is slow and bashing New Identity doesn't help, I'll rotate my guard" is something that should be difficult imo). It just felt like the documentation would be relatively static, and there's no need to strain the network with circuit creation etc, for a simple description about guards.

I can see the argument on making it centrally hosted as well, particularly in the ease of updating/localization fronts.

(I haven't followed any discussions or progress on a Tor Browser User Manual lately, so I don't know if this would also fits in there, and the bundling question.)

No idea here.

comment:7 Changed 4 years ago by arthuredelstein

Cc: arthuredelstein added

comment:8 Changed 4 years ago by gk

Keywords: tbb-circuit-display added

Changed 4 years ago by arthuredelstein

comment:9 Changed 4 years ago by arthuredelstein

Here's a patch for review, where I suppress the IP and country name for the guard node. Instead, the circuit display simply says "Guard node" or, if there is a bridge, "Bridge: meek". This helps protect the user from leaking the identity of the guard, and it also mostly avoids the confusion described in this ticket.

https://github.com/arthuredelstein/torbutton/commit/16665

Here's how the circuit display looks with this change:


Version 0, edited 4 years ago by arthuredelstein (next)

comment:10 Changed 4 years ago by arthuredelstein

Keywords: TorBrowserTeam201509R added
Status: newneeds_review

comment:11 Changed 4 years ago by arthuredelstein

(Note that I added a new phrase, "Guard node" for translation, so we will need to push to Transifex in order for the tor circuit display to function properly with non-English locales.)

comment:12 Changed 4 years ago by mcs

The patch looks OK to me, but I wonder if some people will complain that the guard or bridge IP is now hidden. Maybe we should provide some way to see it, even if it is hidden by default.

comment:13 Changed 4 years ago by cypherpunks

My suggestion would be not remove the IP address that is next to Guard Node. First of all, it's useful for users to know what the IP address is, when guards change IP addresses and possibly (albeit a low chance) if the guard node's IP are changing within an irregular time frame. At the very least the country which the guard node is coming from should be shown. The "leaking the identity of the guard accidentally via screenshots" isn't really common so it shouldn't be something that should affect this.

Also, if possible create the ability to hover over the word "Guard node" and show a message which tells the user that "Guard node IP addresses change every ~3 months" or similar. This would greatly reduce people asking why guard node IP addresses are the same.

Last edited 4 years ago by cypherpunks (previous) (diff)

comment:14 Changed 4 years ago by cypherpunks

There should be an easy way for users to determine their guard node. Problems with guard nodes are not that uncommon and the guard node display helps tracking them down.

comment:15 Changed 4 years ago by gk

Moving needs_review tickets to October 2015.

comment:16 Changed 4 years ago by gk

Keywords: TorBrowserTeam201510R added; TorBrowserTeam201509R removed

Batch modification for realz now.

comment:17 in reply to:  13 Changed 4 years ago by gk

Status: needs_reviewneeds_revision

Replying to cypherpunks:

My suggestion would be not remove the IP address that is next to Guard Node. First of all, it's useful for users to know what the IP address is, when guards change IP addresses and possibly (albeit a low chance) if the guard node's IP are changing within an irregular time frame. At the very least the country which the guard node is coming from should be shown. The "leaking the identity of the guard accidentally via screenshots" isn't really common so it shouldn't be something that should affect this.

Also, if possible create the ability to hover over the word "Guard node" and show a message which tells the user that "Guard node IP addresses change every ~3 months" or similar. This would greatly reduce people asking why guard node IP addresses are the same.

I generally agree with that and thing we should keep the IP address. Hovering over "Guard node" might be one option although it might be hard to tell the user that there is something to hover in the first place. Maybe putting a "?" next to the first hop and allowing to hover over that one might help?

Changed 4 years ago by mcs

"Learn More" mockup

comment:18 Changed 4 years ago by mcs

How about adding a "Learn More" link at the bottom that points to a page that tells people a little bit about circuits and guards? Here is a mockup:

"Learn More" mockup

comment:19 in reply to:  18 ; Changed 4 years ago by arthuredelstein

Replying to mcs:

How about adding a "Learn More" link at the bottom that points to a page that tells people a little bit about circuits and guards? Here is a mockup:

[...]

I think this is a good idea. Do we have such a page?

comment:20 Changed 4 years ago by cypherpunks

I think the question mark (?) + line saying when guard nodes change like gk mentioned is better than a Learn More page. Reality is most people who ask why guard nodes IP addresses do not change are not going to click an extra link to learn more (thus not solving the issue). The ? directly next to the Guard Node is simple, easy to understand and conveys the reason.

Maybe adding them both will be more effective.

Last edited 4 years ago by cypherpunks (previous) (diff)

comment:21 in reply to:  19 Changed 4 years ago by mcs

Replying to arthuredelstein:

I think this is a good idea. Do we have such a page?

I don't know. We may have to create one.

Replying to cypherpunks:

I think the question mark (?) + line saying when guard nodes change like gk mentioned is better than a Learn More page. Reality is most people who ask why guard nodes IP addresses do not change are not going to click an extra link to learn more (thus not solving the issue). The ? directly next to the Guard Node is simple, easy to understand and conveys the reason.

Maybe adding them both will be more effective.

I don't know if many people will click "Learn More"; you may be right that most will not.

A short text message that shows up when hovering over a (?) icon seems OK, but it does not seem worthwhile to send people to a new page just for a short message. And that means we should show some text as an "on hover" message, but I am not sure if we can do on top of the menu popup that is already open.

comment:22 Changed 4 years ago by lunar

I think understanding why guards are useful is complicated and probably needs more than a couple of sentences. This is where opening the right page of the Tor Browser User Manual would be useful. Sadly, I've lost track on the latter.

I don't like the “Learn more” approach as it's quite far from the Guard itself. I still like the suggestion I made earlier: having something like “France (89.234.157.254, Guard)” with “Guard” hyperlinked.

comment:23 Changed 4 years ago by yawning

If we go for the "click to open a new page that details this" option, I presume it will be internal to the bundle and not involve network access? (No strong opinions either way, though it would be a good excuse to a) use .onions for more things to confuse our enemies b) Be able to profile a .onion tor instance under heavy load).

Should we have a FAQ page (suitably localized) that isn't our (kind of out of date) FAQ dedicated to common browser questions included as an internal resource? (Like a user manual, as Lunar pointed out)

comment:24 Changed 4 years ago by gk

Keywords: TorBrowserTeam201511 added

comment:25 Changed 4 years ago by mikeperry

Keywords: TorBrowserTeam201510R removed

comment:26 Changed 4 years ago by mikeperry

Keywords: TorBrowserTeam201512 added; TorBrowserTeam201511 removed

comment:27 Changed 4 years ago by gk

Keywords: TorBrowserTeam201601 added; TorBrowserTeam201512 removed

Tickets for Jan 2016.

comment:28 Changed 4 years ago by gk

Keywords: TorBrowserTeam201602 added; TorBrowserTeam201601 removed
Severity: Normal

comment:29 Changed 4 years ago by sajolida

Cc: sajolida@… added

comment:30 Changed 4 years ago by Spencer

Cc: Spencer added

comment:31 Changed 4 years ago by Spencer

Hi,

Been following the entry guard and circuit visualization work for some time and would like to share some thoughts.

People often come to me confused that the first Tor node in the circuit was always (often) the same, as well. However, their intention is to change that.

getting the UX right is a non-trivial thing

Not true. People expect the circuit path to change, so let them change it at will, through the interface.

Like a “Change Guard” button?

This is a wonderful resolution, and resolves issues with another related topic, persistent vs non-persistent guards, that is best resolved here up-stream.

Forcing a new guard is bad .. such feature would do more harm than good

It is unclear how being able to control the separation of identities is a bad thing.

Location correlation is a real issue.

patch avoids the confusion described in this ticket

It feels like the goal is to resolve, not avoid.

There should be an easy way for users to determine their guard node.

The circuit visualizer (:

Controlling it from here could be useful, too.

hard to tell the user that there is something to hover in the first place

Discoverability is quite underusable.

(?)

This is very unclear.

most people who ask why .. are not going to click an extra link to learn more

Not true. If the text is more descriptive than 'Learn More', then people who want to know more about circuits have a quick link to do so.

'Learn about Tor circuit selection' or something short but sweet could work quite well.

A short text message that shows up when hovering over a (?)

The strings currently consist of a bullet, a descriptor, and an IP address. Adding a (?) and some resulting text, even on hover, becomes quite cluttery.

The 'Learn More' context of one clear link seems like the most suitable resolution, given the stated concerns, though a more verbose descriptor is needed.

I don't like the “Learn more” approach as it's quite far from the Guard itself

It isn't about learning about the individual guards as much as it is about understanding the intended functionality of the circuit; why is the first node staying the same, or, how do exits work, for example.

How can the interface inherently educate about these things.

send people to a new page just for a short message

This seems like the biggest issue with a link.

Overall, the guard selection algorithm is fine but the theoretical equation (c/n)2 ignores that if the entry guard is malicious then it becomes more harmful than having one or two connections deanonymized.

Easy access to both the information and the ability to control the experience is valuable.

comment:32 Changed 4 years ago by gk

Keywords: TorBrowserTeam201603 added; TorBrowserTeam201602 removed

comment:33 Changed 3 years ago by dcf

Here are some blog comments by users confused by guards.

https://blog.torproject.org/blog/tor-browser-55a5-hardened-released#comment-144848
Is it normal or ok for Tor browser to maintain the same entry node all the time. I have noticed that my entry node has been persistently the same node (same ip address) no matter the time of day or if I request a new Tor server node. I find this troubling

https://blog.torproject.org/blog/tor-browser-551-released#comment-155538
Why do I connect using only the first node 88.198.9.16 !!! DEU!
This can not be changed either by restarting or change of identity.
Can I still trust?
Ver .: Tor-Browser 5.5.1

https://blog.torproject.org/blog/breaking-through-censorship-barriers-even-when-tor-blocked#comment-197050
Since I installed the latest TOR update i get always connected to the same entry server in sweden whose ip is 155.4.59.251. Why is it so?

I try to answer these questions by linking to https://www.torproject.org/docs/faq#EntryGuards, but IMO the FAQ does not explain the situation well.

comment:34 Changed 2 years ago by arma

Keywords: ux-team added

I'm adding the ux-team keyword here, so Linda et al can think about how best to teach users about guards. They only notice that it's an issue at all because of this circuit visualizer, and it confuses them to no end.

comment:35 Changed 2 years ago by arthuredelstein

One other possible solution to this ticket would be to add a tooltip to each node in the circuit diagram. (The tooltip for the guard node would explain that it usually doesn't change.) I imagine a ? symbol next to the node would be useful to suggest the availability of the tooltip.

comment:36 Changed 2 years ago by gk

Keywords: tbb-7.0-frequent added

comment:37 Changed 18 months ago by dmr

Cc: dmr added

comment:38 Changed 18 months ago by cypherpunks

Resolution: fixed
Status: needs_revisionclosed

Basically fixed in the work by Arthur in #24309.

Note: See TracTickets for help on using tickets.