Changes between Version 1 and Version 2 of org/meetings/2017Amsterdam/Notes/SecuritySliderUsability


Ignore:
Timestamp:
Mar 29, 2017, 3:07:26 PM (3 years ago)
Author:
mcs
Comment:

improved formatting; added link to ticket #21034.

Legend:

Unmodified
Added
Removed
Modified
  • org/meetings/2017Amsterdam/Notes/SecuritySliderUsability

    v1 v2  
    1 Session: Usability for Tor Browser Security Slider (Linda and intrigeri)
     1== Session: Usability for Tor Browser Security Slider (Linda and intrigeri) ==
    22
    33Two main problems with the security slider:
    4 - problem 1: the settings are global (i.e. you can't set it specifically
    5 for certain websites) and hard to access (it's burdensome to change it
    6 to high/low for specific websites).
    7 - problem 2: people don't know what was blocked on purpose. (the things
    8 that are blocked or "broken" by the security slider do not indicate that
    9 they were blocked on purpose)
     4- Problem 1: the settings are global (i.e. you can't set it specifically for certain websites) and hard to access (it's burdensome to change it to high/low for specific websites).
     5- Problem 2: people don't know what was blocked on purpose. (the things that are blocked or "broken" by the security slider do not indicate that they were blocked on purpose)
    106
    117Solutions:
    12 - solution 1.1: make the slider on the web address bar (or somewhere
    13 else) so that people can easily toggle it as they go to website > need
    14 to make room on the address bar, which may require changes to firefox.
    15 It's hugely difficult technically to have 3 different types in 3
    16 different settings concurrently with the mechanism that we have.
    17 - solution 1.2: a whitelist of sites, or a list of sites and mapping to
    18 security settings. > this can be done easily and would allow for
    19 different tabs in different security settings, but this list of websites
    20 to settings might be fingerprintable. we would also keep track of users
    21 by which websites they visit. We could let users choose their own
    22 websites and settings (which would mean a form of history stored for
    23 them), or choose a whitelist that people can opt into (everyone would
    24 look the same, then).
    25 - solution 2.1: make a dummy website that shows a sample site on the
    26 various security settings to educate users > need to build a website and
    27 learn how to educate people properly. We would need to identify what is
    28 the most common things that are broken by tor settings.
    29 - solution 2.2: add indicators to things that are blocked by the slider
    30 >  the slider doesn't block anything directly, but just sets settings
    31 that does (like make NoScript do it for us)… so additional logic to
    32 detect when things are blocked because of the settings.
     8- Solution 1.1: make the slider on the web address bar (or somewhere else) so that people can easily toggle it as they go to website. Need to make room on the address bar, which may require changes to firefox. It's hugely difficult technically to have 3 different types in 3 different settings concurrently with the mechanism that we have.
     9- Solution 1.2: a whitelist of sites, or a list of sites and mapping to security settings. This can be done easily and would allow for different tabs in different security settings, but this list of websites to settings might be fingerprintable. we would also keep track of users by which websites they visit. We could let users choose their own websites and settings (which would mean a form of history stored for them), or choose a whitelist that people can opt into (everyone would look the same, then).
     10- Solution 2.1: make a dummy website that shows a sample site on the various security settings to educate users. Need to build a website and learn how to educate people properly. We would need to identify what is the most common things that are broken by tor settings.
     11- Solution 2.2: add indicators to things that are blocked by the slider. the slider doesn't block anything directly, but just sets settings that does (like make NoScript do it for us)… so additional logic to detect when things are blocked because of the settings.
    3312
    3413
    3514Some things we could do next:
    36 - make a UI change to put the slider in a place that is easy to find,
    37 and make the preferences global but easy to toggle.
    38 - pick an easy Firefox pref that is affected by a security slider
    39 setting, detect what things that breaks, and choose to give feedback to
    40 the users.
    41 - find out which pref, when disabled, breaks the most things that people
    42 care about.
     15- make a UI change to put the slider in a place that is easy to find, and make the preferences global but easy to toggle.
     16- pick an easy Firefox pref that is affected by a security slider setting, detect what things that breaks, and choose to give feedback to the users.
     17- find out which pref, when disabled, breaks the most things that people care about.
    4318
    4419UX things to think about:
    45 - would people be okay with us keeping a list of websites they visit and
    46 trust (i.e. websites on low)?
    47 - would people want to use a security slider every singe time they go to
    48 a website and toggle it?
    49 - who uses the security slider? Does the regular, non-technical
    50 population even want to use it? Maybe they don't!
    51 - if we were to have the global slider, where should we put it/what
    52 should we do to indicate that it affects all tabs?
    53 - when should we reload the tabs when the slider changes? (reload all
    54 pages when the settings change, on next click, etc.?)
    55 - should there be a default setting, and a button that makes a temporary
    56 change in settings? or a slider that changes the settings until you next
    57 toggle the slider?
    58 - should we have only two settings instead of three? some people are
    59 still confused.
     20- would people be okay with us keeping a list of websites they visit and trust (i.e. websites on low)?
     21- would people want to use a security slider every singe time they go to a website and toggle it?
     22- who uses the security slider? Does the regular, non-technical population even want to use it? Maybe they don't!
     23- if we were to have the global slider, where should we put it/what should we do to indicate that it affects all tabs?
     24- when should we reload the tabs when the slider changes? (reload all pages when the settings change, on next click, etc.?)
     25- should there be a default setting, and a button that makes a temporary change in settings? or a slider that changes the settings until you next toggle the slider?
     26- should we have only two settings instead of three? some people are still confused.
    6027
    61 Next step: Linda and the Tor Browser team to meet to talk about which of
    62 the possible improvements we should experiment with first.
     28Next step: Linda and the Tor Browser team to meet to talk about which of the possible improvements we should experiment with first.
    6329
     30See also: https://trac.torproject.org/projects/tor/ticket/21034