#tor-meeting log

19:03:42 <asn> #startmeeting onion ux
19:03:42 <MeetBot> Meeting started Wed Dec 20 19:03:42 2017 UTC.  The chair is asn. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:03:42 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
19:03:58 <asn> what's up?
19:04:06 <isabela> so !
19:04:27 <isabela> i start organizing things on the google doc
19:04:35 <asn> do we have tjr: geko: ?
19:05:01 <isabela> i am not sure
19:05:08 * arthuredelstein is lurking. lurk lurk
19:05:13 <isabela> GeKo might be traveling
19:06:37 <asn> ok we got #23247 and #21952
19:06:50 <isabela> yes, so on the first one
19:06:53 <asn> wrt #21952, i posted a proposal on tor-dev
19:06:56 <isabela> i updated the google doc
19:07:06 <asn> based on feedback from tjr
19:07:19 <asn> but then received some very good feedback from geko which i havent addressed yet
19:07:20 <isabela> nice
19:07:39 <asn> (revised proposal: https://lists.torproject.org/pipermail/tor-dev/2017-December/012660.html)
19:08:13 <asn> here is the feedback from geko which i havent addressed: https://lists.torproject.org/pipermail/tor-dev/2017-December/012690.html
19:08:41 <asn> anyway and that's that for #21952
19:09:10 <isabela> ok
19:09:11 <asn> now for #23247
19:09:16 * antonela is reading
19:09:18 <isabela> so we can pick it up next year
19:09:27 <isabela> yes
19:09:29 <isabela> for that
19:09:46 <isabela> https://docs.google.com/document/d/1KHkj2DpmFMB0mjHEfehD5ztY2L0lQzKNtZqct1TXbmg/edit
19:10:14 <isabela> so i start to organize things at this doc
19:10:54 <isabela> mixed content still something complicated
19:11:17 <isabela> but i am going towards the .onion should be green because is better than just accessing http
19:11:47 <asn> aha
19:11:49 <isabela> added some copies that are just to show, not final of course
19:11:52 <asn> based on https://trac.torproject.org/projects/tor/ticket/23247#comment:25
19:11:57 <asn> it says "Another vote, separate from that discussion, was a very strong 'no positive indicator for .onion'
19:11:57 <asn> "
19:13:00 <asn> not sure what tjr has to say about that
19:13:06 <isabela> yeah
19:13:37 <asn> interesting that "
19:13:37 <asn> Onion with Self-Signed HTTPS
19:13:40 <asn> ehm
19:13:50 <asn> interesting that "onion with self-signed https" looks more sketchy than "onion with http"
19:13:59 <asn> on ur spreadsheet
19:15:16 <arthuredelstein> seems like you could just make that look the same as onion with http
19:15:53 <isabela> i thought of it but then i thought also that in this case, where the certificate would return it could also means a bad certificate
19:16:58 <isabela> like being intercepted or something
19:17:06 <isabela> i am not sure either i can be wrong
19:17:22 <asn> isabela: didnt get the logic
19:17:23 <isabela> if you think should be changed we should do it then
19:17:36 <asn> can you reexplain?
19:18:00 <isabela> asn: for instance on brave with a self signed certificate they say is insecure because of the certificate 'being bad'
19:18:11 <isabela> or the risk of it
19:18:36 <asn> personally i dont see much use for a self-signed https cert, so i'm ok with discouraging it
19:18:38 <isabela> because is self signed so that can be someone trying to intercept things
19:18:43 <asn> true
19:19:07 <asn> but in this case the interceptor can just setup an "onion with http" to get a nicer onion icon
19:19:52 <asn> but anyway
19:20:00 <asn> perhaps we should wait for tjr and geko to tell us their insights from all hands
19:20:03 <arthuredelstein> Perhaps that is actually nicer. Using a self-signed cert is a cause for slight concern.
19:20:11 <isabela> i was at the all hands
19:20:19 <asn> isabela: true
19:20:22 <isabela> but i am not sure what other insights came from it
19:20:24 <asn> they seem to have some relevant discussions tho
19:20:30 <asn> based on comment:25
19:20:34 <isabela> or wasnt on this conversation he mentioned
19:20:42 <isabela> i spoke with design on it
19:20:48 <isabela> they are not removing padlocks but making them nicer
19:20:59 <asn> ah
19:21:00 <isabela> with rounded corners etc so those are old version of it
19:21:04 <asn> ha nice
19:21:06 <asn> ack
19:21:08 <asn> anywa
19:21:10 <asn> anyway
19:21:25 <asn> im personally fine with all the suggested stuff on the spreadsheet, also with the self-signed https one. i dont have strong opinion on that.
19:21:41 <asn> tjr's comment on "no positive indiicator" might be worth learning more about
19:21:54 <asn> but perhaps we are also overthinking
19:22:00 <isabela> yeah, i dont know what conversations was that
19:22:20 <isabela> well
19:22:37 <isabela> i think that whatever we decide here we will want to do test
19:23:23 <asn> aha
19:23:30 <antonela> isabela: +1
19:23:35 <asn> test how?
19:23:39 <asn> roll it out on an tbb alpha?
19:23:41 <isabela> user reserach
19:24:00 <isabela> i think we can launch it and continue working on top of it
19:24:20 <isabela> i think right now there is nothing there explaining the real state of a .onion
19:24:24 <asn> right
19:25:00 <isabela> is ok to have it out and do research and iterate on the top of it
19:25:11 <isabela> look how browsers have iterate with it so far
19:25:20 <isabela> i also met the user research person focus on privacy stuff
19:25:48 <isabela> and i think we can exchange ideas on how to conduct these tests
19:25:58 <asn> ahja
19:26:07 <isabela> i was showing them we are planing to do this with .onion states
19:26:18 <asn> i currently have no idea how to do this iterated user research thing
19:26:25 <asn> but it sounds interesting
19:26:30 <antonela> yes it is!
19:26:42 <isabela> yes
19:27:06 <tjr> sorry I am here now
19:27:08 <isabela> asn: our goal is to always do it with all our work or user facing things we build or change
19:27:11 <tjr> Let me read backscroll
19:27:36 <isabela> tjr: o/
19:27:44 <asn> tjr: yoo
19:28:53 <tjr> okay so as far as no positive indicator goes, that I think is the long term hope/plan for HTTPS indicators in general.
19:29:03 <tjr> HTTPS with a DV cert gets no indicator at all
19:29:15 <tjr> HTTP gets a Red Negative Insecure Indicator
19:29:18 <tjr> (Who knows about EV)
19:29:23 <asn> interesitng
19:29:33 <tjr> But it doesn't answer the question "What should TB do now"
19:30:11 <asn> perhaps we can do our planned thing, and adapt if/when we learn that this "no positive indicator" future is a good one?
19:30:24 <tjr> Yea.
19:30:42 <tjr> But what's the planned thing? Did you decide what to do about HTTP/HTTPS self-signed onion?
19:31:05 <asn> https://docs.google.com/document/d/1KHkj2DpmFMB0mjHEfehD5ztY2L0lQzKNtZqct1TXbmg/edit
19:31:22 <asn> isa's current suggestion is green onion for http, green onion with notification for self-signed
19:31:29 <asn> sounds good to me
19:31:57 <tjr> Sure
19:31:58 <asn> most things sound good to me at this stage
19:32:04 <tjr> Yea, ditto that
19:33:31 <isabela> ok, so maybe we catch up with tb team on this next year when they are back from holiday stuff
19:33:39 <asn> aight
19:33:40 <isabela> i plan on having a big sync with TB team on this and other ux work we are doing
19:33:45 <asn> ok great
19:33:49 <asn> should we write them a summary email?
19:33:49 <isabela> so i might just add it to the list
19:33:52 <asn> or just wait for u to synch up with them?
19:34:29 <isabela> i will organize the info about this ticket with the others we will be covering at that meeting
19:35:11 <isabela> the goal is to coordinate stuff, since the work on our side needs to be done for them to implement, and once is implemented we need to organize the user testing etc w it
19:35:22 <asn> ack
19:35:29 <asn> and i will also update #21952 based on geko's comment
19:35:38 <isabela> great
19:36:07 <isabela> i think another sync with you and tjr (if available) would be helpful to review some of the copy i still need to write
19:36:19 <isabela> like the stuff i start adding a the description column
19:36:20 <tjr> I won't be around until Jan 3rd ish, sorry
19:36:30 <isabela> yeah, i meant next year
19:37:02 <asn> sounds good
19:37:32 <asn> aight i think we done here then!!
19:37:36 <asn> scary we are talking about next year
19:37:41 <asn> but it's in 11 days so i guess that makes sense
19:37:48 <asn> :)
19:38:11 <isabela> hehe
19:39:15 <asn> ok
19:39:21 <asn> closing this!!!
19:39:23 <asn> #endmeeting