Reduce number of security slider states from 4 to 3 (proposed)

Something we talked about at the Seattle meeting is the possibility of having only 3 allowed security slider states: Low, Medium and High. We would migrate users at Medium-Low to Medium-High and rename the latter to Medium. It seems such a change would improve usability and security. Also I think the current Medium-High is probably the best compromise for most users who are sophisticated enough to adjust the security slider.

Discuss! :)

added TorBrowserTeam201611R component::applications/tor browser owner::tbb-team priority::medium resolution::fixed severity::normal status::closed tbb-security-slider type::defect labels

Also, it might be good to figure this out soon given that Amogh is porting the security slider to Android.

Trac:
Cc: N/A to amoghbl1

I think this is a good idea. I am not sure yet, though, whether we should put that on our October plate given all the loose ends with our SponsorU funding. But it could be something for Tor Browser 6.5. Adapting the code for just 3 settings for Android should not be that hard.

I also believe that reducing the choices from four to three makes sense in terms of usability. Looking at what is different between Medium-Low and Medium-High, the only setting that I am a little worried about is javascript.options.baselinejit.content = false. I don't know if that reduces JS performance enough that users will dislike Medium-High.

I think it's a good idea as the only difference between Medium-Low and Medium-High is that Medium-Low disables some JS performance optimizations (ION JIT, Type Inference, ASM.JS) while Medium-High disables all js optimizations (..., Baseline JIT) in addition to all js on non-https sites by default and SVG OpenType font rendering.

The differences with Low would then be that Medium makes html5 media click-to-play, disables MathML and blocking JAR files (which there's another ticket open discussing dropping the option from the slider, enabling it by default).

As for the performance question mcs brought up: I have Baseline JIT disabled and I don't notice it being slower but that is just my subjective experience. I find it does not matter too much because network performance through tor tends to be the biggest variable.

Trac:
Username: fem

Replying to arthuredelstein:

Something we talked about at the Seattle meeting is the possibility of having only 3 allowed security slider states: Low, Medium and High. Lo-Mid-Hi, let's make security as easy as consumer-grade electronics :) (No, it will never be as easy, it's just a false sense of security.) We would migrate users at Medium-Low to Medium-High and rename the latter to Medium. It seems such a change would improve usability and security. Usability - by removing two-word names :), security - by removing one JS-MitM-enabled position, and privacy - by reducing fingerprinting. Also I think the current Medium-High is probably the best compromise for most users who are sophisticated enough to adjust the security slider. You think correctly, but it shows that TBB is still a compromise :(. Every higher setting should include everything from previous (including flexibility) and shouldn't degrade in security options (I'll file separate tickets for those issues). Discuss! :) The other teams prohibit to use bugtracker for discussions, but TBB Team encourages :) (It's good when no forum, but could be bad when no moderation.)

Replying to bugzilla:

Also I think the current Medium-High is probably the best compromise for most users who are sophisticated enough to adjust the security slider. You think correctly, but it shows that TBB is still a compromise :(. There is an inherent tension between security and usability in any browser -- a compromise is unavoidable. The slider is there to give the user some choice in the compromise they wish to make. If there were no tension, there would be no slider.

Replying to arthuredelstein:

Replying to bugzilla:

Also I think the current Medium-High is probably the best compromise for most users who are sophisticated enough to adjust the security slider. You think correctly, but it shows that TBB is still a compromise :(. There is an inherent tension between security and usability in any browser -- a compromise is unavoidable. The slider is there to give the user some choice in the compromise they wish to make. If there were no tension, there would be no slider. Compromise is that the user wants to set High, but has to use Medium-High, because of e.g. #20314 (moved) and #17637 (moved).

Here's a patch for review: https://github.com/arthuredelstein/torbutton/commit/20264

It depends on the patch proposed for #20347 (moved).

Trac:
Keywords: N/A deleted, TorBrowserTeam201610R added
Status: new to needs_review

Here's a new version of the patch, rebased onto my 20347+1 patch: ​https://github.com/arthuredelstein/torbutton/commit/20264+1

Kathy and I reviewed the 20264+1 patch and it looks okay to us (of course gk should also review it because it would be bad to ship a a buggy security slider).

Moving review tickets to November.

Trac:
Keywords: TorBrowserTeam201610R deleted, TorBrowserTeam201611R added

Looks good to me. boklm, our slider tests need to get updated I think.

Trac:
Cc: amoghbl1 to amoghbl1, boklm
Status: needs_review to closed
Resolution: N/A to fixed

I created #20626 (moved) for the tests update.

closed

mentioned in issue #20626 (moved)

mentioned in issue tpo/applications/tor-browser-bundle-testsuite#20626 (closed)

moved to tpo/applications/tor-browser#20264 (closed)