15:01:52 #startmeeting Tor Browser Weekly Meeting $2022-08-22 15:01:52 Meeting started Mon Aug 22 15:01:52 2022 UTC. The chair is donuts. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:52 Useful Commands: #action #agreed #help #info #idea #link #topic. 15:01:55 did I do that right 15:02:02 pad is here: https://pad.riseup.net/p/tor-tbb-keep 15:02:10 LGTM 15:02:14 please add any items you'd like to discuss to the agenda :) 15:02:21 LGTM but not sure about that dollar sign ;) 15:02:29 it's free money anarcat 15:02:39 also hey hey Jeremy_Rand_36C3[m], I'll check it out! 15:02:42 woot 15:02:46 donuts: but is that libre money or gratis money? 15:03:13 depends on your belief system maybe :D 15:03:28 Schrodinger's Money 15:03:49 Okay let's take a couple of mins to add our status updates, unless everyone's already done 15:04:20 * ma1 studying MeetBot docs in the meanwhile :) 15:04:47 I never use the date function for UX team meetings lol 15:04:55 in fact, I didn't even know it existed until recently 15:05:04 our logs are probably a mess, idk 15:07:50 I'm done with my status updates, please sound off when you're ready too and I'll move on with the meeting 15:08:00 I'm ready 15:08:03 ready 15:08:16 Remember to check your board (https://gitlab.torproject.org/groups/tpo/applications/-/boards filtered by username) and be sure it reflects what you are working on. 15:08:22 * Jeremy_Rand_36C3[m] filled out my info 10 minutes early, which is out of character for me 15:08:25 done 15:08:59 great 15:09:05 * donuts checks the pad for bold items 15:09:05 done 15:09:37 msim: looks like you have the only item in bold :) 15:09:58 it looks like an old one 15:10:03 oh so it is, nvm 15:10:10 * donuts unbolds 15:10:33 over to you then Jeremy_Rand_36C3[m] 15:10:39 ok, so 15:11:31 One of the two users I noticed who was confused about the warning was one of my co-workers, who is very technically proficient, including about Tor, and even he couldn't understand what the warning was about, what triggered it, and what the correct course of action was 15:11:56 Then you have a less sophisticated user who thought the warning meant he was already pwned and panicked 15:12:26 I was hoping the UX Team might be able to evaluate how this warning can be better presented so that users don't get confused or make bad decisions when they see it 15:12:46 yep, for sure – we can also do a little usability testing for further feedback as well 15:12:48 To be clear I haven't been closely watching #tor, those are just the two cases I noticed in passing 15:13:07 what's the plant/timeline for making the UX "native" in Tor Browser ma1? Have you discussed that with richard? 15:13:20 that would be a natural point to review and iterate on it 15:13:27 *plan 15:13:28 not plant 15:13:58 donuts: no timeline yet, but evaluating it in the scope of the Security Level refactory 15:14:08 s/y/ing 15:14:16 o/ 15:14:21 o/ 15:14:31 o/ 15:14:35 ma1: got it 15:14:40 A wild Richard appears! 15:14:44 welcome richard o/ 15:15:04 phone alarms work much better when your phone doesn't die in the night it turns out 15:15:05 :p 15:15:19 Anyway yeah just wanted to make sure this is on UX Team's radar :) 15:15:28 richard: we're just discussing the NoScript warnings UX, Jeremy_Rand_36C3[m] had mentioned some user confusion about them 15:15:36 donuts, the alternative would be anonymizing every "dangerous" request without warnings (like Leakuidator+ does): less scary but much more room for breaking stuff blindly and silently. 15:15:54 richard: I just asked ma1 what the plan was for making the UX 'native' in Tor Browser since that seemed like a natural point to review the UX 15:16:00 should I repeat my IRC comments from a few minutes ago for richard ? 15:16:13 yes please :) 15:16:29 maybe we could get started on that ticket from a design and usability testing pov straight away anyway, and maybe carry across any of the recommendations to NoScript in the interim 15:16:34 One of the two users I noticed who was confused about the warning was one of my co-workers, who is very technically proficient, including about Tor, and even he couldn't understand what the warning was about, what triggered it, and what the correct course of action was 15:16:38 Then you have a less sophisticated user who thought the warning meant he was already pwned and panicked 15:16:41 I was hoping the UX Team might be able to evaluate how this warning can be better presented so that users don't get confused or make bad decisions when they see it 15:16:47 (that's all I said I think) 15:16:50 donuts: I tend to believe the wording/framing and the blocking/non blocking approach is more critical to user confusion than the actual implementation details. 15:17:16 ma1: yeah, maybe with some kind of passive notification like "Tor Browser has just blocked xyz. Yadda yadda reload and enable it instead" 15:17:17 To be clear I haven't been closely watching #tor, those are just the two cases I noticed in passing 15:17:21 (forgot that message) 15:17:39 ma1: we can rapidly test various options with Figma prototypes too 15:17:51 finding the right wording for stuff is a good use of that testing format 15:18:10 donuts: we should evaluate if this approach introduces some other linkability occasions 15:18:13 And yeah, agreed that the wording/framing seems to be where the confusion is happening here 15:18:28 But, 15:18:38 pierov: can you explain that a little more to me please? 15:18:45 The frequency of the warnings is causing user fatigue, which is not the same thing as confusion but is still very bad 15:19:29 maybe anonymizing every request by default, with an option to not do it on some page? or would it break to many things by default? 15:19:39 How long are exceptions (i.e. overriding the warning) granted for? are they per session? 15:19:50 donuts, yes, per session. 15:19:54 got it 15:20:09 boklm: so far I've only encountered one case where I decided to allow the request; probably 50 or more cases where I rejected 15:20:48 boklm, that's the "alternative" I was talking about. My fear is for you to break SSO / 3rd party authorization / online payment flows. 15:20:52 So I think anonymizing by default, and showing a notification that the user might want to reload if it's broken, will probably improve fatigue a lot 15:21:04 donuts: we should see if there are some cases for which loading with every details already available could be desirable 15:21:35 I don't know what happens if SSO sites get reloaded after a failure 15:21:35 Jeremy_Rand_36C3[m], maybe, like "Something looks wrong in this page? Click here to learn how to fix it". 15:21:41 also, doing so might break some site, for example if the page used a nonce or some other token to be used once 15:21:45 is there a way we can maintain a longer-term list of exceptions, rather than per session? 15:22:01 donuts: I suspect a long-term exception list is a fingerprinting vector 15:22:22 and a disk-leak 15:22:24 donuts, yes we can, but I think it goes against our threat model (see Jeremy_Rand_36C3[m]'s comment above) 15:22:26 yeah 15:22:28 makes sense 15:22:42 ma1: as long as the "how to fix it" explanation makes it clear that this does entail some privacy risk, I think that approach is fine 15:23:17 Or at least, it would be intuitive for me. I am not a typical user and I am not good at thinking like one. 15:23:57 IIRC we already do that for canvas usage? 15:24:39 I don't use canvas very often, but when I do, I like having the browser tell me that it blocked canvas and that I can easily click something to enable it 15:24:47 Copying that UX seems sane to me 15:24:54 So are we considering anonymizing every request, warning with a banner that links to some kind of full-page thing? i.e. a neterror screen? 15:25:04 Jeremy_Rand_36C3[m]: yeah that's what I was thinking of 15:25:25 Jeremy_Rand_36C3[m], you said you authorized just once, but it seems the most puzzling part for users who didn't read the fine print was following a link to github or stackexchange from Google (which you would never want to "share information" with the destination), and be suprised at being logged out. 15:26:29 donuts, a net:error page would not fix the warning fatigue while likely breaking the legitimate use cases. 15:26:34 donuts: I'm not convinced the explanation needs to fill the whole page; I don't think the canvas explanation does. Probably a small pop-up tab or something could do it, maybe with a link to a full-page supplementary doc for the kind of people who read the dictionary for fun 15:27:33 ma1: ok, so I would not notice a Google to GitHub transition because I use separate VM's for each site I'm logged into, so the only login-based transitions I see are SSO (IIRC the one I hit was when Uber Eats redirected me to the main Uber site) 15:27:51 Jeremy_Rand_36C3[m]: right, it doesn't have to be a net:error but some kind of secondary screen with more info is probably necessary 15:28:07 b/c the banner itself is very lean 15:28:27 donuts: yeah some kind of secondary screen with more details seems reasonable to me 15:29:07 what actions are currently available to the user in the noscript warning ma1? Are they just allow vs don't allow? 15:29:56 It's "Load anonymously", "Load normally" or implicitly block by using the Cancel button. 15:30:21 Cool, I'll create a ticket to review the UX and will loop you in :) 15:30:22 Choosing either of the two loads remembers the action for source and target domani pair. 15:30:31 donuts, great 15:31:39 are you currently working on the security level refactoring? 15:31:42 second that. My only concern still remain non-repeatable transactions, but it's quite teorethical (it mostly depends on the resilience of the merchant/payment workflow). Maybe we could keep the on the fly warning as an option and enable it back with better wording if critical stuff gets actually broken in the wild. 15:32:23 donuts, I'm in the exploratory phase. At this moment I'm deeply focused at getting my Android-fu up to speed. 15:32:31 aha okay great 15:32:49 (I've found recently that all the extensions are broken on Android) 15:33:21 The bundled ones never get updated, and the other ones (e.g. uBlock) just cannot work because they're not enabled in private browsing. 15:33:41 ooft, I just saw the ticket :/ 15:33:42 So I'm trying to fix this ASAP: 15:33:51 sounds good, ty! 15:34:38 Okay, anything else anyone wants to discuss this week? 15:34:44 Or shall i release the bot? 15:34:47 Yep 15:35:05 About the reproducible builds event in Venice 15:35:20 boklm and me are thinking of going there 15:35:27 It's Nov 1-3 15:35:43 oh yes, I skipped the announcements section – exciting :D 15:35:52 https://lists.reproducible-builds.org/pipermail/rb-general/2022-July/002666.html 15:36:03 https://reproducible-builds.org/events/venice2022/ 15:36:04 nice location 15:36:05 PieroV / boklm : I'd expect some of the Bitcoin Core guys to be there, maybe Carl Dong. If you run into them, you should talk to them about build-arch-agnostic reproducible builds 15:36:13 They just got that working in Bitcoin Core circa last week 15:36:15 donuts: actually it's in Mestre, not in Venice 15:36:30 pierov: aha that makes more sense 15:36:41 the "poor man" Venice 15:36:44 lol 15:36:51 Like, they build Bitcoin Core for all supported platforms on an x86 machine, and then they do the same build on an ARM machine, and all the hashes match 15:36:52 venice2 15:37:07 wow 15:37:15 the mainland part of Venice 15:37:39 Jeremy_Rand_36C3[m]: ack 15:39:11 remember and grab some extra stickers etc. in Ireland so you can give them away in not-venice :D 15:39:21 ah, good idea 15:39:23 Erin usually takes a bunch in case you're running low 15:39:39 I have only my personal stickers, lol 15:39:50 also we have new fliers to replace the old relay ops ones 15:40:01 that detail the ways folks can contribute voluntarily 15:40:34 such as QA lol 15:41:34 right I think we're done for real this time 15:41:40 have a great week everyone! 15:41:45 thanks! 15:41:46 Thanks! Same to everyone 15:41:53 bot, i release thee 15:41:54 #endmeeting