Tails

#6 Updated by intrigeri 2019-01-23 11:10:23

I think this needs a new pref + some code to take it into account, both in upstream Tor Launcher.

#8 Updated by intrigeri 2019-08-25 07:17:40

@sajolida, this conflicts with our first iteration of https://tails.boum.org/blueprint/network_connection/, no? Once we display Tor Launcher to everybody, we will need that first screen.

#10 Updated by intrigeri 2019-08-27 20:07:56

> Good catch!

:)

> Though displaying Tor Launcher by default might only make worse the problem of having the focus on the “Enter” button by default.

This conclusion was not obvious to me, so I went to the drawing board.

As far as I understand the problem and the ticket description, there are two main things at stake here:

• A. Trying to connect to Tor in a way that won’t work, and then it fails.
  • Mistakes have no security impact on user safety.
  • To be given the opportunity to solve the problem, one can either restart Tails (currently + in iteration 1), or reconnect to the network (and see Tor Launcher again; only in iteration 1) ⇒ iteration 1 improves things here, right?
• B. Connecting to Tor in a way that does not hide the fact one is using Tor, while the user needs to hide this fact.
  • Mistakes have serious security impact on user safety.
  • No mitigation is available apart of making a run for it.

In both cases:

• Currently, one needs to make 1 single mistake for this to happen, but they have 2 opportunities for that: either forget to select the necessary option in the Greeter, or do that but later, press Enter in Tor Launcher.
• In the 1st iteration as-is, one still needs to make only 1 mistake (in Tor Launcher). But there’s only 1 opportunity for a mistake, so the risk is lower ⇒ improvement.

So to me, it seems that the 1st iteration as-is already gives us small improvements on this topic.

> Could we add to our iteration #1 to prevent the bridge configuration if the user presses “Enter” by mistake?

I don’t understand what you mean with “prevent the bridge configuration” here. Did you mean “display”, or similar?

> A solution could be to put the focus on the “Config” button by default instead.

This would indeed make it much harder to hit the aforementioned problematic situations.
I don’t like it much though, because:

• Users of Tor Browser are used to “Enter” being focused by default. Consistency put aside, if we train Tails users that they can press “Enter” to configure (possibly obfuscated) bridges, then we put them at risk when they use Tor Browser.
• It requires one necessary action for everyone who can directly connect to Tor. I suspect that’s the vast majority of our current users, if not of our prospective users (thankfully, Tails is useful and relevant in many situations where one can connect to Tor directly).
• Problem (A) has no security impact and can be solved in several manners by the user (while currently, the only way is to reboot IIRC).
• Problem (B) matters but it’s not clear to me that Tails should optimize for this use case, if that means making it more painful for those who can connect directly to Tor.
• Iteration 2 will further improve the situation for problems A and B, and in a nicer way (except for the first few boots). And then, the drawbacks of focusing the “Config” button by default will outweigh the advantages. But we’ll be stuck with it, because reverting such a change puts users at risk, after we’ve trained them to press “Enter” to not connect to Tor directly.

So at this point, I think I would reject this ticket in favour of iterations 1 and 2.

#11 Updated by sajolida 2019-08-28 08:44:14

> So to me, it seems that the 1st iteration as-is already gives us small improvements on this topic.

Indeed!

>> Could we add to our iteration #1 to prevent the bridge configuration if the user presses “Enter” by mistake?
>
> I don’t understand what you mean with “prevent the bridge configuration” here. Did you mean “display”, or similar?

Looks like my sentence is broken. Forget it.

> So at this point, I think I would reject this ticket in favour of iterations 1 and 2.

Ok!