Reword Tor-specific download dialog box

When a user attempts to download a file with TBB, she will get a Tor-specific dialog box telling her that an external application is needed to handle the file and that such applications are not Tor safe by default. The user is then presented with two choices: to cancel or to launch the application.

The message is somewhat confusing and does not clarify that "launch application" really means "open the save file dialog that I am used to see". We should consider rewording this to something more user-friendly.

added MikePerry201404 component::torbrowserbutton owner::mikeperry points::2 priority::high resolution::fixed status::closed tbb-helpdesk-frequent tbb-usability type::enhancement labels

I agree this would be very useful.

The ideal case would be to pop up the warning after the user clicks 'run' (i.e. after the "do you want to save or run it" question), but apparently that's really hard to make Firefox do.

The current text reads:

Load external content?

An external application is needed to handle:

NOTE: External applications are NOT Tor safe by default and can unmask you!

If this file is untrusted, you should either save it to view while offline 
or in a VM, or consider using a transparent Tor proxy like Tails LiveCD 
or torsocks.

Launch application	
Cancel
Always launch applications from now on

How about the following:

Download this file?

The Tor Browser Bundle is not able to handle this file. You will need 
to download it and open it with another application. 

You should be very careful when downloading files via Tor as these 
files can contain Internet resources that will be downloaded outside 
of Tor when you open them. This will reveal your real IP address.

If you do want to download this file, it is recommended that you use 
the Tails liveCD while doing so. See https://tails.boum.org/ for more 
information.

Download file
Cancel
Always download files from now on

Trac:
Cc: N/A to runa

I think that sounds better. I have two small suggestions (in bold) below since the pure act of downloading is no problem.

Download this file?

The Tor Browser Bundle is not able to handle this file. You will need to download it and open it with another application.

You should be very careful when downloading and opening files outside the Tor Browser Bundle as these files can contain Internet resources that could reveal your real IP address.

If you do want to download this file, it is recommended that you use the Tails liveCD while doing so. See https://tails.boum.org/ for more information.

Download file Cancel Always download files from now on

What about?

Download this file?

The Tor Browser Bundle is not able to handle this file. You will need 
to download it and open it with another application. 

You should be very careful when downloading and opening files outside
the Tor Browser Bundle as these files can contain Internet resources
that will be downloaded outside  of Tor when you open them. This will
reveal your real IP address, thus be non-anonymous.

If you do want to download this file, it is recommended that you either
view it offline in a VM, use a transparent Tor proxy or a Tor Live CD,
such as [Tails](https://tails.boum.org/) while doing so.

Download file | Cancel | Always download files from now on

Trac:
Cc: runa to runa, adrelanos@riseup.net
Status: new to needs_review

Unfortunately the Firefox APIs we use to block external application launch do not allow us to easily differentiate between launch and download.

Maybe this situation has improved in FF24-ESR, or maybe we need to write a new API.

Trac:
Status: needs_review to new
Priority: normal to major

We should in any case fix the message to tell the user what's going on -- that should be doable before any new API and would help a lot of the user support requests.

Brought up yet again on https://blog.torproject.org/blog/pluggable-transports-bundles-2418-rc-1-pt1-and-2418-rc-2-pt1-firefox-17011esr#comment-39893 and the thread underneath it

Dupped #10482 (closed) to this. The text fix here can be something like https://trac.torproject.org/projects/tor/ticket/9901#comment:74.

See #9973 (closed) for some input.

Trac:
Cc: runa, adrelanos@riseup.net to runa, adrelanos@riseup.net, gk

Brought up again by #11012 (closed).

Trac:
Cc: runa, adrelanos@riseup.net, gk to runa, adrelanos@riseup.net, gk, mttp

In #11012 (closed), it was also mentioned that this is a frequently encountered helpdesk question.

Trac:
Keywords: N/A deleted, tbb-helpdesk-frequent added

Are people happy with proper's suggested text? It is a bit long, but I think it captures all the issues in terms of the risk for the user. Will people understand it? Will it still cause trouble for people who hit that text when downloading a TBB update?

I'm fine with the proposed text, and I think it should be used. If users are still confused by the new text, I'm sure they will let us know on the help desk, and we can continue improving as needed.

With the old text, users think they are being asked to install a download manager, and wonder "isn't that unsafe?"

Will the new text be included in the next stable or the beta?

To make it shorter:

Download this file?

The Tor Browser cannot open this file. To view it, you will need to
download it and open it with another application.

Opening files may de-anonymize you by connecting to the Internet
without using Tor, thus revealing your real IP address.

To view this file, you should do so offline in a virtual machine.

Download file | Cancel | Always download files from now on

Trac:
Keywords: N/A deleted, MikePerry201404R added

Trac:

New download dialog text (Linux version)

Ok, see the attached screenshot for what I went with: https://trac.torproject.org/projects/tor/attachment/ticket/7439/Download.jpg

That screenshot is for Linux, and the Mac dialog will be similar. On Windows, the window titlebar text will read "Download an external file type?"

This new text will appear in the next 3.6 release, unless someone has a better suggestion.

Trac:
Status: new to closed
Resolution: N/A to fixed
Points: N/A to 2
Keywords: MikePerry201404R deleted, MikePerry201404 added

closed

changed time estimate to 16h

mentioned in issue #9901 (closed)

mentioned in issue #9973 (closed)

mentioned in issue #10482 (closed)

mentioned in issue #11012 (closed)