Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-13T17:09:50Zhttps://gitlab.torproject.org/legacy/trac/-/issues/22334Missing top-right links in blog2020-06-13T17:09:50ZteorMissing top-right links in blogThere are 9 links in the top right of https://www.torproject.org/ , and the new blog only has 2 in the top center left (and the blog link in the top right).
Did we deliberately remove:
* Documentation
* Press
* Contact
* Download
* Volu...There are 9 links in the top right of https://www.torproject.org/ , and the new blog only has 2 in the top center left (and the blog link in the top right).
Did we deliberately remove:
* Documentation
* Press
* Contact
* Download
* Volunteer
I'd like to put Download back if we can, not sure about the other ones.HiroHirohttps://gitlab.torproject.org/legacy/trac/-/issues/22163Make it more obvious how to report security related bugs2020-06-13T17:24:40ZGeorg KoppenMake it more obvious how to report security related bugsWe had a report about a bug reporter getting different (and partly) conflicting advice on how to report security sensitive bugs. The canonical way of doing so is mailing to tor-security@lists.torproject.org. However, that seems to be not...We had a report about a bug reporter getting different (and partly) conflicting advice on how to report security sensitive bugs. The canonical way of doing so is mailing to tor-security@lists.torproject.org. However, that seems to be not found easily. We should change that on our website.HiroHirohttps://gitlab.torproject.org/legacy/trac/-/issues/22120Research tasks (tor project website redesign)2020-06-13T17:24:38ZLinda LeeResearch tasks (tor project website redesign)This ticket groups together the work we did to prepare for designing torproject.org and its portals.This ticket groups together the work we did to prepare for designing torproject.org and its portals.Linda LeeLinda Leehttps://gitlab.torproject.org/legacy/trac/-/issues/22077Wireframes for the landing pages of torproject.org portals2020-06-13T17:24:37ZLinda LeeWireframes for the landing pages of torproject.org portals= Objective =
Design how to lay out the most important content for torproject.org, dev.torproject.org, support.torproject.org, and community.torproject.org.
= Definitions =
* wireframes are rough sketches that illustrate the gene...= Objective =
Design how to lay out the most important content for torproject.org, dev.torproject.org, support.torproject.org, and community.torproject.org.
= Definitions =
* wireframes are rough sketches that illustrate the general idea of the design. A wireframe lets you talk about content placement and layout while abstracting finer details such as font, color, styling, and other considerations.
* landing pages are the official terms for the "front page" of a website. If you visit torproject.org, the first page that you see is the landing page.
* portals refer to the different subsites mentioned above (dev, support, community)
# Methodology
Linda and Antonela will independently sketch their best first design of the four landing pages, limiting themselves to including only the content deemed important for the front page on #21950. They will compare their designs, talk about why they made the design choices that they did, and then collaboratively work on a final design from those two independent designs.
# Results
We have the first iteration of the landing pages. We'll reach out for feedback, update them, and repeat this process a couple times.
![INITIAL-tpo-landing.png,500px](uploads/INITIAL-tpo-landing.png,500px)
![INITIAL-dev-landing.png,500px](uploads/INITIAL-dev-landing.png,500px)
![INITIAL-support-landing.png,500px](uploads/INITIAL-support-landing.png,500px)
![INITIAL-community-landing.png,500px](uploads/INITIAL-community-landing.png,500px)
You can find the the [sketch file](https://trac.torproject.org/projects/tor/attachment/ticket/22077/INITIAL-tpo-landing-page-wireframes.sketch) and the [pdf of the pages](https://trac.torproject.org/projects/tor/attachment/ticket/22077/INITIAL-tpo-landing-page-wireframes.pdf) here.Linda LeeLinda Leehttps://gitlab.torproject.org/legacy/trac/-/issues/21952Onion-location: increasing the use of onion services through automatic redire...2021-03-22T16:56:26ZLinda LeeOnion-location: increasing the use of onion services through automatic redirects and aliasing= Background =
People can't remember, or type in onion sites very easily. We should try to fix this somehow.
ilf is experimenting with automatically redirecting Tor users to .onion versions of websites that they visit (because they ...= Background =
People can't remember, or type in onion sites very easily. We should try to fix this somehow.
ilf is experimenting with automatically redirecting Tor users to .onion versions of websites that they visit (because they want more people to visit onion sites and they will do so if it is painless to them). But when users were redirected automatically to an onion site, they freaked out about it because they didn't know what happened, didn't know what onion sites were, and the "https" was dropped.
asn and dgoulet also were trying to find a solution to make onion sites more accessible to use. Specifically, onion addresses are quite long and random-ish, making them hard to remember and hard to type. There were many solutions discussed casually to try and resolve this, but none stood out as a clear winner.
= Discussion =
I like the idea of redirecting users to .onion sites automatically when they type in the websites non-onion address. This way, users don't need to remember anything else, need to type in anything long, or really even know what onion sites are.
My suggestion is to follow the https design pattern, and create a similar indicator for .onion sites.
![onion-address-idea.png,600px](uploads/onion-address-idea.png,600px)
The proposed solution would be this: when a user types in a website (pad.riseup.net), they would automatically be redirected to the onion site. When this happens, there would be an onion icon next to the address bar (replacing the https lock icon if there is one, or just being there an https lock icon would be if redirection from an http website), similar to that of the https lock icon. The address in the address bar can turned a different color or indicated in some way that this is an alias for the onion site.
From my observation, people don't mind automatically being redirected to https sites from http sites, but freak out when redirected from an http/https site to an onion site. I don't think that this is because people know what https is and find the idea comforting (although this can help). I speculate that they don't mind because they don't notice, and the reason why users freaked out at the redirect to onion sites is that they saw the website address visibly change in the address bar.
Also--
If we want to show users the address of the onion site, we can additionally have a feature to reveal the onion site when the user clicks in the address bar.
![onion-address-secondary-idea.png,600px](uploads/onion-address-secondary-idea.png,600px)
I don't know how I feel about this, since it may just be confusing, and just shock the user later. Users don't know that pad.riseup.net resolves to some numerical IP address, and that isn't displayed to users. So there could be an argument made for just indicating that the address is an alisas and not ever showing the .onion address, either. This will confuse way less of the general population.
= Considerations =
* how should the redirect behavior work?
* how can we implement this without tracking?
* should we allow users to turn off this redirecting behavior?
* should we hide the .onion address from the users more so than the proposal above?Alex CatarineuAlex Catarineuhttps://gitlab.torproject.org/legacy/trac/-/issues/21951Helping censored users bootstrap to Tor: Tor launcher improvements and automa...2020-06-16T01:01:15ZLinda LeeHelping censored users bootstrap to Tor: Tor launcher improvements and automation= Background =
[Research](https://petsymposium.org/2017/papers/issue3/paper2-2017-3-source.pdf) has shown that many censored users are not able to connect to Tor if Tor is censored in their country. The ones that are able to succeed us...= Background =
[Research](https://petsymposium.org/2017/papers/issue3/paper2-2017-3-source.pdf) has shown that many censored users are not able to connect to Tor if Tor is censored in their country. The ones that are able to succeed usually do after multiple attempts and minutes of their time.
To make this process faster and successful the first time, we need to be able to differentiate people connecting from different countries | people at risk and not at risk | people who are censored and not censored, tighten the window for error notifications and give advice, and generally make the settings easier to configure. One grand vision is to one day not involve users in toggling network settings, and to ask for consent and just give them one button that connects them to Tor safely and reliably.
= Objective =
To make it easier for users to connect to Tor, we're going to make some changes to Tor Launcher. We've broken this effort down into three stages:
1. design changes: we're going to make interface-only changes that will help the users.
1. naive automation: we're going to automate the connection process, by some sort of behavior. We haven't decided on what that behavior is yet, but there are multiple ways to do this. One way would be to try a bunch of relays/bridges in a specific order, and stop when one is reachable. Another way would be to try all the relays/bridges at the same time, and return one that works to the user.
1. smart automation: this is a "make it work" button that people can relatively safely click, and it will work for people in most environments with minimized risk. We haven't decided on what that behavior is yet either, but one way to do this is to meek-front the connection, work with bridgeDB and/or some way to identify where the user is from, and give them a relay/bridge that works the first time.Linda LeeLinda Leehttps://gitlab.torproject.org/legacy/trac/-/issues/21593drop tor2web from the website lists2020-06-13T17:24:27ZRoger Dingledinedrop tor2web from the website listsWe have a bunch of people who are concerned with tor2web, and think it needs to disappear. Maybe it does, maybe it doesn't, but I think it's fair to stop listing it as a Tor project on our website.
I think that's the official projects l...We have a bunch of people who are concerned with tor2web, and think it needs to disappear. Maybe it does, maybe it doesn't, but I think it's fair to stop listing it as a Tor project on our website.
I think that's the official projects list, and also the table on the volunteer page.Damian JohnsonDamian Johnsonhttps://gitlab.torproject.org/legacy/trac/-/issues/21321.onion HTTP is shown as non-secure in Tor Browser2020-06-15T23:46:51Zcypherpunks.onion HTTP is shown as non-secure in Tor Browserblog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/
http version of .onion is safe. This must be the exception of that slash/ icon.blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/
http version of .onion is safe. This must be the exception of that slash/ icon.https://gitlab.torproject.org/legacy/trac/-/issues/21183Basic Usability Issues2020-06-15T23:46:01ZTracBasic Usability IssuesHi:
I'm a longtime UX'er, and new to using Tor. Some very basic heuristics I felt compelled to respond to, in a PDF—and was advised by a FOSS person, to submit in a ticket, here.
Namely:
- The "Tor Button" is illegible (recommended re...Hi:
I'm a longtime UX'er, and new to using Tor. Some very basic heuristics I felt compelled to respond to, in a PDF—and was advised by a FOSS person, to submit in a ticket, here.
Namely:
- The "Tor Button" is illegible (recommended replacement included)
- The "NoScripts" icon is illegible (recommended replacement included)
- Most of the functionality behind the TorButton should be in a preferences pane, not a toolbar button
- The three pieces of functionality appropriate for toolbar buttons, should each have their own buttons. Replacement icons and interaction pane recommendations, included.
Document here, if I'm not able to upload it myself:
https://drive.google.com/open?id=0BzRaXGZ006aoWHJLd0hBT3IyRUE
**Trac**:
**Username**: ninavizzhttps://gitlab.torproject.org/legacy/trac/-/issues/20843Tor Browser: How do we help users to use higher security?2020-06-15T23:41:22ZArthur EdelsteinTor Browser: How do we help users to use higher security?The security slider lets users adjust their Tor Browser's behavior along the security-usability tradeoff. But Tor Browser is a juicy target, so we'd like to encourage users to use Medium-High Security or higher. But right now we set the ...The security slider lets users adjust their Tor Browser's behavior along the security-usability tradeoff. But Tor Browser is a juicy target, so we'd like to encourage users to use Medium-High Security or higher. But right now we set the default to Low because we don't want to scare away naive users who would think that Tor Browser is "broken" at higher security levels (when JavaScript and other features are disabled).
So an interesting UX question is how to design an interface that helps more users choose higher security, without driving users away. Testing would be important, I think.https://gitlab.torproject.org/legacy/trac/-/issues/20842Proposal: Improve Tor Browser font whitelist / bundled fonts2022-07-22T21:41:20ZArthur EdelsteinProposal: Improve Tor Browser font whitelist / bundled fonts**Background:**
In #13313 we introduced a new font whitelisting mechanism. Tor Browser only allows certain fonts to be used in the browser, in order to prevent bad people from trying to identify you by detecting what fonts are installed...**Background:**
In #13313 we introduced a new font whitelisting mechanism. Tor Browser only allows certain fonts to be used in the browser, in order to prevent bad people from trying to identify you by detecting what fonts are installed on your computer. Font whitelisting is also available in Firefox, off by default. (The whitelisting is controlled by a pref, "font.system.whitelist", which contains a comma-separated list of allowed font names. You can edit this pref by opening a tab and browsing to `about:config`.)
On Window and Mac, we mostly whitelist certain system fonts that are bundled with the operating system by default. We bundle a few [Google Noto fonts](https://www.google.com/get/noto/) as well for languages that don't have a built-in platform font.
On Linux, we bundle a large number of Google Noto fonts, plus Arimo, Cousine, and Tinos. We don't expose any system fonts, because these aren't consistent across Linux flavors.
My strategy for choosing fonts for the whitelist was to try to cover all possible languages with at least one font, and get the work done as efficiently as possible. I whitelisted Mac and Windows fonts that have been available for a long time and should be on essentially all systems. Bundling fonts from the Noto collection was a quick and dirty method for covering any missing fonts for different languages.
But there are probably more appealing fonts for some languages that we could use, especially on Linux. For example, in #20820 we are considering switching Linux from Noto Japanese to mona.ttf because the latter looks better (according to Yawning) and because mona.ttf can be used in the ancient Japanese art of ascii calligraphy. I also heard from someone who knows that the Tamil font on Windows is not too beautiful.
**Proposed project:**
So it would be a useful project to go through each of the fonts on each platform and see if there are better fonts that could be used instead. Important considerations would include:
* Aesthetics
* Character coverage
* Printability
* Font licensing
* Font file size
This would require asking the opinions of native speakers of various languages.
Ideally, we could come up with a new font whitelist and bundling list for Mac, Windows and Linux, where the fonts are beautiful and users are happy.https://gitlab.torproject.org/legacy/trac/-/issues/20805Circuit display does not honor or use the UI font.2020-06-15T23:39:42ZYawning AngelCircuit display does not honor or use the UI font.When trying to enhance the visual identity of Sandboxed Tor Browser, I noticed that the circuit display does not use the font specified as the UI font via my gtk theme (`gtk-font-name`).
This is inconsistent with the rest of the UI elem...When trying to enhance the visual identity of Sandboxed Tor Browser, I noticed that the circuit display does not use the font specified as the UI font via my gtk theme (`gtk-font-name`).
This is inconsistent with the rest of the UI elements, including the rest of torbutton, which does honor it.https://gitlab.torproject.org/legacy/trac/-/issues/20628More locales for Tor Browser2020-06-16T00:47:22ZArthur EdelsteinMore locales for Tor BrowserSeveral locales for torbutton in Transifex are fully or almost fully translated, but we aren't including these in our ./import_translations.sh script in torbutton.
And we would probably like to release some of these as Tor Browsers as w...Several locales for torbutton in Transifex are fully or almost fully translated, but we aren't including these in our ./import_translations.sh script in torbutton.
And we would probably like to release some of these as Tor Browsers as well.https://gitlab.torproject.org/legacy/trac/-/issues/20314Make SVG click-to-play and support fallback2020-06-15T23:38:24ZbugzillaMake SVG click-to-play and support fallbackCurrently TBB uses the worst option: entirely disabled. Even no white rectangle on a white background. It's not fair that videos have CTP, but images haven't. NoScript is most suitable now for this feature.Currently TBB uses the worst option: entirely disabled. Even no white rectangle on a white background. It's not fair that videos have CTP, but images haven't. NoScript is most suitable now for this feature.https://gitlab.torproject.org/legacy/trac/-/issues/19774bridges.torproject.org could use a favicon2020-06-13T18:28:39ZIsis Lovecruftbridges.torproject.org could use a faviconIt doesn't have one. It could. I don't particularly care what it is, but a little bridge or a little onion might be cute.It doesn't have one. It could. I don't particularly care what it is, but a little bridge or a little onion might be cute.Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/legacy/trac/-/issues/19757Make a menu to add onion and auth-cookie to TB2020-06-16T01:11:28ZNima FatemiMake a menu to add onion and auth-cookie to TBCurrently it's very difficult to add an onion address and auth cookie to Tor Browser.
It would be nice to have an option in torbutton menu where you can set `HidServAuth` and optionally `MapAddress`, instead of having to edit your TB t...Currently it's very difficult to add an onion address and auth cookie to Tor Browser.
It would be nice to have an option in torbutton menu where you can set `HidServAuth` and optionally `MapAddress`, instead of having to edit your TB torrc file.Kathleen BradeKathleen Bradehttps://gitlab.torproject.org/legacy/trac/-/issues/19270update warning on about:tor is not eye-catchy enough2020-06-15T23:35:39ZNima Fatemiupdate warning on about:tor is not eye-catchy enoughWhile I was watching a friend opening their out-dated Tor Browser, I realized they didn't pay attention to the big warning:
![https://trac.torproject.org/projects/tor/raw-attachment/ticket/19270/tor%20browser%20copy.jpg](https://trac.to...While I was watching a friend opening their out-dated Tor Browser, I realized they didn't pay attention to the big warning:
![https://trac.torproject.org/projects/tor/raw-attachment/ticket/19270/tor%20browser%20copy.jpg](https://trac.torproject.org/projects/tor/raw-attachment/ticket/19270/tor%20browser%20copy.jpg)
So I thought maybe one way to fix it, is to fade everything else on the page with CSS. I might try to send a patch later on, but feel free to beat me to it.https://gitlab.torproject.org/legacy/trac/-/issues/19251TorBrowser might want to have an error page specific to when .onion links fail2020-06-16T01:13:05ZcypherpunksTorBrowser might want to have an error page specific to when .onion links failWhen a webpage fails to load, it can be due to any number of factors. But when that page is served by an onion service, some of those factors have greater implications for security.
It would be cool to know if the failure is related to ...When a webpage fails to load, it can be due to any number of factors. But when that page is served by an onion service, some of those factors have greater implications for security.
It would be cool to know if the failure is related to a malfunction in the local Tor instance, or due to nonlocal failures. If TBB can determine this, adding something to TBB to create .onion specific error messages with greater detail would be helpful.Kathleen BradeKathleen Bradehttps://gitlab.torproject.org/legacy/trac/-/issues/19199Allow user to completely disable canvas content and related warning popup fro...2020-06-15T23:35:26ZcypherpunksAllow user to completely disable canvas content and related warning popup from a checkbox in TorButton's "Privacy Settings"Canvas-based fingerprinting is a potent threat to anonymity. I believe it does not make sense to have it potentially enabled (following a popup dialog) at elevated Security Slider settings, and even with the Security Slider on "High," an...Canvas-based fingerprinting is a potent threat to anonymity. I believe it does not make sense to have it potentially enabled (following a popup dialog) at elevated Security Slider settings, and even with the Security Slider on "High," and probably also on Medium-High, Medium, and potentially Medium-Low.
Fingerprintable canvas content (and its related popup) should be completely disabled when the Security Slider is at one of these elevated settings, and it should be transparent to the user. It may make sense to still present the icon in the address bar so that it can be enabled manually, on a per-site or per-page basis, if a user needs this feature.
Thank you all so much.https://gitlab.torproject.org/legacy/trac/-/issues/19001Tor Browser with Snowflake2020-06-13T18:21:52ZDavid Fifielddcf@torproject.orgTor Browser with SnowflakeLet's prepare a branch with reproducible builds and a built-in Snowflake client selectable from the menu.
These GitHub issues are relevant:
* [#23](https://github.com/keroserene/go-webrtc/issues/23) native webrtc dependency build scrip...Let's prepare a branch with reproducible builds and a built-in Snowflake client selectable from the menu.
These GitHub issues are relevant:
* [#23](https://github.com/keroserene/go-webrtc/issues/23) native webrtc dependency build script
* [#29](https://github.com/keroserene/go-webrtc/issues/29) Reproducible builds