Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-15T23:41:22Zhttps://gitlab.torproject.org/legacy/trac/-/issues/20843Tor Browser: How do we help users to use higher security?2020-06-15T23:41:22ZArthur EdelsteinTor Browser: How do we help users to use higher security?The security slider lets users adjust their Tor Browser's behavior along the security-usability tradeoff. But Tor Browser is a juicy target, so we'd like to encourage users to use Medium-High Security or higher. But right now we set the ...The security slider lets users adjust their Tor Browser's behavior along the security-usability tradeoff. But Tor Browser is a juicy target, so we'd like to encourage users to use Medium-High Security or higher. But right now we set the default to Low because we don't want to scare away naive users who would think that Tor Browser is "broken" at higher security levels (when JavaScript and other features are disabled).
So an interesting UX question is how to design an interface that helps more users choose higher security, without driving users away. Testing would be important, I think.https://gitlab.torproject.org/legacy/trac/-/issues/20842Proposal: Improve Tor Browser font whitelist / bundled fonts2022-07-22T21:41:20ZArthur EdelsteinProposal: Improve Tor Browser font whitelist / bundled fonts**Background:**
In #13313 we introduced a new font whitelisting mechanism. Tor Browser only allows certain fonts to be used in the browser, in order to prevent bad people from trying to identify you by detecting what fonts are installed...**Background:**
In #13313 we introduced a new font whitelisting mechanism. Tor Browser only allows certain fonts to be used in the browser, in order to prevent bad people from trying to identify you by detecting what fonts are installed on your computer. Font whitelisting is also available in Firefox, off by default. (The whitelisting is controlled by a pref, "font.system.whitelist", which contains a comma-separated list of allowed font names. You can edit this pref by opening a tab and browsing to `about:config`.)
On Window and Mac, we mostly whitelist certain system fonts that are bundled with the operating system by default. We bundle a few [Google Noto fonts](https://www.google.com/get/noto/) as well for languages that don't have a built-in platform font.
On Linux, we bundle a large number of Google Noto fonts, plus Arimo, Cousine, and Tinos. We don't expose any system fonts, because these aren't consistent across Linux flavors.
My strategy for choosing fonts for the whitelist was to try to cover all possible languages with at least one font, and get the work done as efficiently as possible. I whitelisted Mac and Windows fonts that have been available for a long time and should be on essentially all systems. Bundling fonts from the Noto collection was a quick and dirty method for covering any missing fonts for different languages.
But there are probably more appealing fonts for some languages that we could use, especially on Linux. For example, in #20820 we are considering switching Linux from Noto Japanese to mona.ttf because the latter looks better (according to Yawning) and because mona.ttf can be used in the ancient Japanese art of ascii calligraphy. I also heard from someone who knows that the Tamil font on Windows is not too beautiful.
**Proposed project:**
So it would be a useful project to go through each of the fonts on each platform and see if there are better fonts that could be used instead. Important considerations would include:
* Aesthetics
* Character coverage
* Printability
* Font licensing
* Font file size
This would require asking the opinions of native speakers of various languages.
Ideally, we could come up with a new font whitelist and bundling list for Mac, Windows and Linux, where the fonts are beautiful and users are happy.https://gitlab.torproject.org/legacy/trac/-/issues/20805Circuit display does not honor or use the UI font.2020-06-15T23:39:42ZYawning AngelCircuit display does not honor or use the UI font.When trying to enhance the visual identity of Sandboxed Tor Browser, I noticed that the circuit display does not use the font specified as the UI font via my gtk theme (`gtk-font-name`).
This is inconsistent with the rest of the UI elem...When trying to enhance the visual identity of Sandboxed Tor Browser, I noticed that the circuit display does not use the font specified as the UI font via my gtk theme (`gtk-font-name`).
This is inconsistent with the rest of the UI elements, including the rest of torbutton, which does honor it.https://gitlab.torproject.org/legacy/trac/-/issues/20628More locales for Tor Browser2020-06-16T00:47:22ZArthur EdelsteinMore locales for Tor BrowserSeveral locales for torbutton in Transifex are fully or almost fully translated, but we aren't including these in our ./import_translations.sh script in torbutton.
And we would probably like to release some of these as Tor Browsers as w...Several locales for torbutton in Transifex are fully or almost fully translated, but we aren't including these in our ./import_translations.sh script in torbutton.
And we would probably like to release some of these as Tor Browsers as well.https://gitlab.torproject.org/legacy/trac/-/issues/20314Make SVG click-to-play and support fallback2020-06-15T23:38:24ZbugzillaMake SVG click-to-play and support fallbackCurrently TBB uses the worst option: entirely disabled. Even no white rectangle on a white background. It's not fair that videos have CTP, but images haven't. NoScript is most suitable now for this feature.Currently TBB uses the worst option: entirely disabled. Even no white rectangle on a white background. It's not fair that videos have CTP, but images haven't. NoScript is most suitable now for this feature.https://gitlab.torproject.org/legacy/trac/-/issues/19930web site menu needlessly jumps around2020-06-13T17:24:03ZTracweb site menu needlessly jumps aroundGo to a page like
https://www.torproject.org/docs/tor-hidden-service.html.en
Examine the menu on the left. Think of what you want to put your pointer on, and move your pointer there. *Because* your mouse-pointer is there, the location ...Go to a page like
https://www.torproject.org/docs/tor-hidden-service.html.en
Examine the menu on the left. Think of what you want to put your pointer on, and move your pointer there. *Because* your mouse-pointer is there, the location of things near it is different! Where you wanted to click changed because you tried to click. That's annoying, and it gives no new functionality. You may wish to emphasize what the user is going to select if they click, but there are better ways than changing the layout of the menu to do it.
I suggest making the text a different color. That's almost always safe, and it's what people expect.
**Trac**:
**Username**: chadmillerWebsiteV3cypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/19774bridges.torproject.org could use a favicon2020-06-13T18:28:39ZIsis Lovecruftbridges.torproject.org could use a faviconIt doesn't have one. It could. I don't particularly care what it is, but a little bridge or a little onion might be cute.It doesn't have one. It could. I don't particularly care what it is, but a little bridge or a little onion might be cute.Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/legacy/trac/-/issues/19757Make a menu to add onion and auth-cookie to TB2020-06-16T01:11:28ZNima FatemiMake a menu to add onion and auth-cookie to TBCurrently it's very difficult to add an onion address and auth cookie to Tor Browser.
It would be nice to have an option in torbutton menu where you can set `HidServAuth` and optionally `MapAddress`, instead of having to edit your TB t...Currently it's very difficult to add an onion address and auth cookie to Tor Browser.
It would be nice to have an option in torbutton menu where you can set `HidServAuth` and optionally `MapAddress`, instead of having to edit your TB torrc file.Kathleen BradeKathleen Bradehttps://gitlab.torproject.org/legacy/trac/-/issues/19270update warning on about:tor is not eye-catchy enough2020-06-15T23:35:39ZNima Fatemiupdate warning on about:tor is not eye-catchy enoughWhile I was watching a friend opening their out-dated Tor Browser, I realized they didn't pay attention to the big warning:
![https://trac.torproject.org/projects/tor/raw-attachment/ticket/19270/tor%20browser%20copy.jpg](https://trac.to...While I was watching a friend opening their out-dated Tor Browser, I realized they didn't pay attention to the big warning:
![https://trac.torproject.org/projects/tor/raw-attachment/ticket/19270/tor%20browser%20copy.jpg](https://trac.torproject.org/projects/tor/raw-attachment/ticket/19270/tor%20browser%20copy.jpg)
So I thought maybe one way to fix it, is to fade everything else on the page with CSS. I might try to send a patch later on, but feel free to beat me to it.https://gitlab.torproject.org/legacy/trac/-/issues/19251TorBrowser might want to have an error page specific to when .onion links fail2020-06-16T01:13:05ZcypherpunksTorBrowser might want to have an error page specific to when .onion links failWhen a webpage fails to load, it can be due to any number of factors. But when that page is served by an onion service, some of those factors have greater implications for security.
It would be cool to know if the failure is related to ...When a webpage fails to load, it can be due to any number of factors. But when that page is served by an onion service, some of those factors have greater implications for security.
It would be cool to know if the failure is related to a malfunction in the local Tor instance, or due to nonlocal failures. If TBB can determine this, adding something to TBB to create .onion specific error messages with greater detail would be helpful.Kathleen BradeKathleen Bradehttps://gitlab.torproject.org/legacy/trac/-/issues/19199Allow user to completely disable canvas content and related warning popup fro...2020-06-15T23:35:26ZcypherpunksAllow user to completely disable canvas content and related warning popup from a checkbox in TorButton's "Privacy Settings"Canvas-based fingerprinting is a potent threat to anonymity. I believe it does not make sense to have it potentially enabled (following a popup dialog) at elevated Security Slider settings, and even with the Security Slider on "High," an...Canvas-based fingerprinting is a potent threat to anonymity. I believe it does not make sense to have it potentially enabled (following a popup dialog) at elevated Security Slider settings, and even with the Security Slider on "High," and probably also on Medium-High, Medium, and potentially Medium-Low.
Fingerprintable canvas content (and its related popup) should be completely disabled when the Security Slider is at one of these elevated settings, and it should be transparent to the user. It may make sense to still present the icon in the address bar so that it can be enabled manually, on a per-site or per-page basis, if a user needs this feature.
Thank you all so much.https://gitlab.torproject.org/legacy/trac/-/issues/19001Tor Browser with Snowflake2020-06-13T18:21:52ZDavid Fifielddcf@torproject.orgTor Browser with SnowflakeLet's prepare a branch with reproducible builds and a built-in Snowflake client selectable from the menu.
These GitHub issues are relevant:
* [#23](https://github.com/keroserene/go-webrtc/issues/23) native webrtc dependency build scrip...Let's prepare a branch with reproducible builds and a built-in Snowflake client selectable from the menu.
These GitHub issues are relevant:
* [#23](https://github.com/keroserene/go-webrtc/issues/23) native webrtc dependency build script
* [#29](https://github.com/keroserene/go-webrtc/issues/29) Reproducible buildshttps://gitlab.torproject.org/legacy/trac/-/issues/18870add the tor animation video to the top of the overview page?2020-06-13T17:23:46ZRoger Dingledineadd the tor animation video to the top of the overview page?It occurred to me while talking to Nima that we might take the embedded video on
https://www.torproject.org/press/video
and put it on the top of
https://www.torproject.org/about/overview
This will not solve all of our website problems (...It occurred to me while talking to Nima that we might take the embedded video on
https://www.torproject.org/press/video
and put it on the top of
https://www.torproject.org/about/overview
This will not solve all of our website problems (and we should avoid getting bogged down here in broader discussions about fixing up the website).
But if somebody wants to do up a patch to make this one work, I'll take it. :) (or you can just merge it yourself, depending on who you are)HiroHirohttps://gitlab.torproject.org/legacy/trac/-/issues/18695We should have a repository list that includes important external repositories2020-06-13T17:23:45ZNick MathewsonWe should have a repository list that includes important external repositoriesMany developers like using github or personal repository
Many developers' github repositories are nontrivial to find.
Let's index them on our website or wiki somewhere?Many developers like using github or personal repository
Many developers' github repositories are nontrivial to find.
Let's index them on our website or wiki somewhere?WebsiteV3cypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/18586Bug tracker not easy to find2020-06-13T17:23:44ZcypherpunksBug tracker not easy to findI had some trouble finding this bug tracker. The word "bug" doesn't appear on the main page or the Tor Browser project page. And there's no "development" or similar link under "Get Involved".
The "Tor Browser" page says to email the hel...I had some trouble finding this bug tracker. The word "bug" doesn't appear on the main page or the Tor Browser project page. And there's no "development" or similar link under "Get Involved".
The "Tor Browser" page says to email the help desk for help but gives no way to do this anonymously (most free email sites don't work in high security mode or don't allow anonymous signups). I did find a link under "my tor keeps crashing" in the browser FAQ but that's pretty buried. It always takes me a few minutes.
(I've put keyword "usability" but I have no idea whether people generally use that keyword. I see no way to get a list of suggested keywords.)cypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/17805The website should support "stable" and "oldstable" tor releases2020-06-13T17:23:27ZNick MathewsonThe website should support "stable" and "oldstable" tor releasesRight now we have "alpha" and "stable". But sometimes we want to have an extra stable listed as well.
No hurry on this one.Right now we have "alpha" and "stable". But sometimes we want to have an extra stable listed as well.
No hurry on this one.WebsiteV3cypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/17413Usability of MacOS installation process2020-06-13T17:23:18ZcypherpunksUsability of MacOS installation processUsability of MacOS installation process
Consequence: User is unable to verify package signature
Steps to reproduce:
1. Download Tor browser
2. Go to https://www.torproject.org/docs/verifying-signatures.html.en for instructions.
3...Usability of MacOS installation process
Consequence: User is unable to verify package signature
Steps to reproduce:
1. Download Tor browser
2. Go to https://www.torproject.org/docs/verifying-signatures.html.en for instructions.
3. Read the block of text for MacOS and Linux.
4. Follow the link at the bottom of that section to:
https://www.gnupg.org/documentation/
5. Struggle with the information on that page.
6. Try to go to the SourceForge link there for GPG Mac download.
uBlock Origin blockade: uBlock Origin has prevented the following page from loading:http://macgpg.sourceforge.net/
Because of the following filter
| sourceforge.net^$other^ |
|-------------------------|
Found in: uBlock filters – Badware risks
7. Give up.
----
What should have happened:
Follow the GPGTools link at the top of the Tor page's Mac/Linux instruction block.
https://www.torproject.org/docs/verifying-signatures.html.en
----
Suggested fixes:
* Divide the MacOS instructions from the Linux instructions.
* Add numbers to the procedures... something like this, for the MacOS:
1. Download Tor Browser and save the signature.asc to your Desktop.
1. Download and install GPGTools.
1. Open a Terminal window (Terminal is in /Applications/Utilities or find it with search)
1. Paste the following into the terminal: [... ...]
...adding links appropriately in the procedure
* Use link colors to help people visually scan through the pages. Take advantage of the human tendency to skim over text and just read the bold, colored stuff:
-Use a color with better contrast against black (the green is wonderful but too dark for good contrast)
-Include more keywords in links
* Related installation issue that probably belongs somewhere else:
Opening the DMG and installing the Tor Browser: The application file shows a file modification date of Dec 31, 1999, so it's difficult to know whether the downloaded one is newer than one I have already.
No version number is in the file name.
Get Info (cmd-I) (which not every Mac user knows about) does show a version number, and it also shows the file has a creation date of Dec 31, 2000, which is before the mod date. The weird dates might cause version control issues but are also likely to worry people who see them.WebsiteV3traumschuletraumschulehttps://gitlab.torproject.org/legacy/trac/-/issues/17400Decide how to use the multi-lingual Tor Browser in the alpha/release series2020-06-16T01:10:11ZGeorg KoppenDecide how to use the multi-lingual Tor Browser in the alpha/release seriesNow that #12967 is fixed, we should decide on how we want to make use of a multi-lingual Tor Browser. For the hardened series we just ship one build with all locales. We could do that for the alpha and the release series as well but mayb...Now that #12967 is fixed, we should decide on how we want to make use of a multi-lingual Tor Browser. For the hardened series we just ship one build with all locales. We could do that for the alpha and the release series as well but maybe there is a smarter way to strike the balance between usability (downloading just the localized bundle I want) and resource scarcity (hosting all the localized bundles on our infrastructure).
Mike had the idea a while ago to ship the most important bundles localized while putting all the other locales in a generic bundle (see: http://meetbot.debian.net/tor-dev/2015/tor-dev.2015-08-10-18.01.log.txt). I think I like that idea. Is that still something we want?https://gitlab.torproject.org/legacy/trac/-/issues/16777Make an easier way for users to report bugs in TBB2020-06-15T23:28:46ZcypherpunksMake an easier way for users to report bugs in TBBCurrently the manual way of reporting bugs is tedious in a sense and to casual or non-advanced users, it will deter them from reporting any bugs at all. I think this area needs improvement and proper implementation of a way to easily rep...Currently the manual way of reporting bugs is tedious in a sense and to casual or non-advanced users, it will deter them from reporting any bugs at all. I think this area needs improvement and proper implementation of a way to easily report bugs via the browser itself (i.e. possibly option in TBB to link directly to report bug page without need to log in or auto logging into shared account) rather than manually finding out the URL, creating an account or using shared account and posting it.
This I'm sure would definitely increase the number of bug reports and fix reports by users.https://gitlab.torproject.org/legacy/trac/-/issues/16665Circuit visualizer needs a cue about guards2020-06-15T23:27:49ZLunarCircuit visualizer needs a cue about guardsOne user came to me really confused about the fact that everytime they used “New identitiy” or “New circuit for this site”, the first Tor node in the circuit was always the same. We probably should add an explanation about guards somewhe...One user came to me really confused about the fact that everytime they used “New identitiy” or “New circuit for this site”, the first Tor node in the circuit was always the same. We probably should add an explanation about guards somewhere close to the circuit visualizer.