Tor Browser should be visually distinguished from Firefox to prevent user error

added component::applications/tor browser in Legacy / Trac owner::tbb-team in Legacy / Trac priority::very low in Legacy / Trac reporter::ageisp0lis in Legacy / Trac severity::normal in Legacy / Trac status::new in Legacy / Trac tbb-usability in Legacy / Trac type::enhancement in Legacy / Trac ux-team in Legacy / Trac labels

Trac:
Username: ageisp0lis

Side-by-side comparison of TorBrowser and Firefox on Debian Linux running Gnome

Trac:
Username: ageisp0lis

There is a cost here to be kept in mind: The better the distinction between vanilla Firefox and the Tor Browser is, the easier it is for users to get identified as Tor Browser users if someone looks over their shoulders.

See legacy/trac#10642 (closed) for additional input.

Trac:
Version: Tor: unspecified to N/A
Keywords: Tor Browser Bundle deleted, tbb-usability added

Subscribing

Trac:
Username: dwt

Replying to ageisp0lis:

More than once, I have had multiple browsers open (in this example, let's say both Tor Browser and Firefox due to their similarity) and have mixed them up, for example logging into accounts or entering information I intended to keep compartmentalized only transmitted over the Tor network. In situations where OPSEC is important, such a mistake can be very costly indeed.

This led me to give some thought to the idea that the Tor Browser should be more visually distinct to prevent this type easily committed user error that can compromise privacy and security in potentially disastrous situations. At present, the title bar and onion logo are the main distinguishing features that allow a Desktop user to know which environment they are working in. In my opinion, that's not enough. Is there anything more that can be done to customize TorBrowser's UI?

Any thoughts or ideas about this? You shouldn't use both Tor Browser and Firefox, use just Tor Browser. This helps both Tor and you.

Replying to gk:

There is a cost here to be kept in mind: The better the distinction between vanilla Firefox and the Tor Browser is, the easier it is for users to get identified as Tor Browser users if someone looks over their shoulders.

Agree strongly. It is important to me that I can press 'F11' to full screen Tor Browser and it look similar to Firefox or vaguely similar to IE. If we must make Tor Browser obviously Tor (and I don't agree with this), please include an option to turn it off. I am sometimes in a position where if someone could see I'm using Tor Browser, it could cause problems.

Bringing in my comment from legacy/trac#10642 (closed):

-- snip --

The Tor browser should have a clear visual distinction to the normal browser, to help prevent the user mixing it up with the normal Firefox instance he is running and thus inadvertently loosing anonymity without wanting to. I know myself, I will mix this up many times, so I need all the help I can get in not getting the two confused and giving up my privacy without wanting to.

I see several facets here:

For me as a user who does not need to fear shoulder surfing or imminent inspection of my machine from an adversary, a firefox theme that is clearly marked as TOR is perfect. Examples https://addons.mozilla.org/en-US/firefox/addon/tor-browser-c/ https://addons.mozilla.org/en-US/firefox/addon/tor-browser-b/ I would prefer something a little better integrated with system colors though for improved readability.
For a user who has to fear shoulder surfing something more subtle would be preferable, I would suggest something that is visually very distinct but doesn't hint at the TorProject directly. When you install TorBrowser for the first time, it already asks some setup questions (like: do you need a proxy). That would be a good time to offer a choice of themes to. Perhaps asking for a threat profile is a bit much. The end result should however definitely be that the Tor Browser is visually very distinct to the regular browser.

-- snap --

In response to cypherpunks:

It is a luxury to be able to only use Tor browser that I do not have and also one that I do not think is sensible. If I want to appear in Public with my name, I do not want to use the Tor-Browser because I want to absolutely make sure that there is no tracking that can link my public name to any of the secret identities. So especially for operational security I think it is important that the two can easily be made visually distinct.

I do agree that doing it via Theme and having an obvious advertising for the Tor-Browser is not the right thing for every circumstance, so perhaps something more subtle should be the default. Still it should be different than standard Firefox. I would argue that the fact that Firefox is already theme able and that themes are used by many people gives enough plausible deniability for a different theme to make this a viable option for the Tor project.

Trac:
Username: dwt

Using only TBB and not Firefox is not practical for all users, for many reasons. I'm talking about compartmentalizing information and activity, even identities, in different browsers. That's the way many people need to work.

A theme that makes it more distinguished from Firefox would be perfect, and dwt's suggestion of a 'subtle' option for those concerned about shoulder surfing is a great idea. So yeah, optional theme selected during setup.

I agree with the rest of the comments.

Trac:
Username: ageisp0lis

I've just had a nice chat with Jakob Appelbaum at CCC in Berlin and learned that he wholeheartedly supports the cause of this bug.

In chatting with people here one raised the argument that TorBrowser currently doesn't protect against shoulder surfing either (because it displays a huge 'you are using TorBrowser' screen upon startup).

Thus a good first step would be to choose a really obvious theme to really ensure that you do not mistake a TorBrowser window for a regular Firefox window.

Then add another more subtle theme later as another patch to allow some choice when describing your own threat profile.

Would you guys merge a patch that brings in a default theme like this:

https://addons.mozilla.org/en-US/firefox/addon/tor-browser-c/

I would be happy to provide the patch.

I'd think that the theme would be even better if the 'for' graphic in the upper right a bit smaller and move it to the left, to have less interference with the window manager buttons and the toolbar buttons beneath.

Would you take a patch like that?

Trac:
Username: dwt
Cc: N/A to spamfaenger@gmx.de

I think we can provide an alternate theme as an option, but there is the question of what the default should be, and at what point we should ask the user which they prefer. I would like to avoid asking many questions of the user in the default case, and I am not yet convinced that the default should be a drastically different theme than normal Firefox.

There is also a difference between the homepage telling the user that they are using Tor (which is temporary, and which they can close or navigate away from, or otherwise not always have visible), and making the default always be obvious from a distance at all times.

Suggestions for possible solutions here is welcome. I bet there is a solution that can make everyone happy (especially since we have people willing to put the work into providing it for us), but we need to be a little careful in what form that solution takes, and how and when we present this choice to the user.

Trac:
Cc: spamfaenger@gmx.de to spamfaenger@gmx.de, mcs

Replying to mikeperry:

I am not yet convinced that the default should be a drastically different theme than normal Firefox.

To be effective at all, the difference must be obvious, but that doesn't mean that the entire visual appearance must be changed. Something as simple as changing the icon scheme from default FF could be enough for users, without being obvious to onlookers that something different is happening. The obvious option would be to add a new header background and change icons to be clear that one is using Tor. But this may be tricky for users in an office or internet cafe where people walking past is common.

Impact on user experience could be quite positive if we can iron out the details.

Edit: And I doubt that many users would deviate from TBB's standard theme.

Trac:
Cc: spamfaenger@gmx.de, mcs to spamfaenger@gmx.de, mcs, griffin@cryptolab.net

2 years ago, when Tor Browser was using Firefox Aurora, the menu button on top left was purple, which is also the color of Tor Project's website. It also looked nice, can we at least change that color if possible.

Off-topic: Can the title TorBrowser there be replaced with Tor Browser?

Trac:
Keywords: N/A deleted, needs-triage added

It seems surprisingly hard to create a theme for Firefox. Though it has a facility to do lightweight themes, which would be perfect for this bug, those seemingly cannot be installed from a file and thus cannot be distributed with tor browser.

The obvious alternative is to create a full theme, but that seems to entail copying all internal styles from firefox and re-creating all the changes they applied for their lightweight theme support. Not to mention that this then needs to be recopied and maintained for each new firefox version. :-/ Not pretty. :-/

I'm currently looking into mixed forms, i.e. a Firefox plugin that will install the theme on demand, but I'm not having any luck trying this out, or finding any documentation that explains how this would have to be done. Some guidance would be greatly appreciated.

I'm currently also asking for guidance on the mozilla developer forum - is there any better place to ask about this?

Trac:
Username: dwt

Well, got a good tip on irc.mozilla.org#addons to look at plugins like https://addons.mozilla.org/de/firefox/addon/bob-marley-2014-theme-with-/ which basically uses the lightweight theme manager directly to install a lightweight theme like this from a plugins bootstrap.js

	let lightweightTheme = {
		"custom": true,
		"footerURL": "chrome://<pluginname>/skin/footer.png",
		"headerURL": "chrome://<pluginname>/skin/header.png",
		"accentcolor": "#ffffff",
		"textcolor": "#000000",
		"id": "<pluginname>",
		"name": "Prevent confusing firefox and tor browser windows"
	}
    Components.utils.import("resource://gre/modules/LightweightThemeManager.jsm");	
	LightweightThemeManager.themeChanged(lightweightTheme)

Trac:
Username: dwt

Lightweight themes are quite easy to create (these used to be called Personas). More information: https://developer.mozilla.org/en-US/Add-ons/Themes/Lightweight_themes

The downside here is that it's not possible to change some of the finer details like icons. Creating a full theme isn't impossible, but much like making an extension it's pretty tricky the first time you do it. Official documentation here: https://developer.mozilla.org/en-US/docs/Building_a_Theme

Another option might be to make minor tweaks to a well-maintained free-license theme such as: https://github.com/louischan/simplewhite

As it stands, a lightweight theme might be our best option.

@saint: Thanks for the tips, lightweight Themes it is for me.

I've got a first rough draft up at https://github.com/dwt/tor-browser-improved-distinction-theme and would love some feedback.

To install it you need to add a textfile named after the themes id 'torbrowser-improved-distinction@haecker.me' into your firefox profiles extensions folder and put the full path to the checkout into it.

So something like this:

cd $firefox_profile_folder/extensions
cat $theme_checkout_location > torbrowser-improved-distinction@haecker.me

Then Firefox should ask if you want to install the theme on it's next startup.

Trac:
Username: dwt

@dwt: For testing, an easier way is to compress all files as a zip and change the extension to .xpi . Then drag and drop into your open Tor Browser window. It will enable automatically, but if you want to make a change, disable and then remove it from the add-ons menu before closing the Tor Browser (otherwise your changes will persist).

The real question to me is whether branding is an asset or not. It might be helpful to have a theme that is The Tor Theme but isn't recognizable to a random passerby.

I've put together some other theme designs piggybacking off of dwt's lightweight theme. Screenshots: http://imgur.com/a/qn6Ih

Regarding the question of branding vs something just different: I don't really care, as I just need it to be different to drastically reduce errors.

For people not having to fear shoulder surfing I would expect that something that is Tor themed is better as it is easier to recognize and reduces errors where you meant to use Tor (or not) and accidentally the wrong browser.

For people having to fear shoulder surfing of course a visible Tor-Logo could be potentially very bad, though I guess that they also suffer much stronger from the first problem I.E. having to keep their secret and public identities strongly apart.

I see it this way: I provide a patch that makes it easy to theme Tor Browser by changing two images and two colors around and get that technically ready to be included in the the build process. If that is ready, then I'd like the maintainers to step in and decide how they want to proceed branding wise and what their experiences are with people who actually have this problem (as I sadly/ luckily don't) so we do not have to rely on speculation for this point.

Trac:
Username: dwt

I created an exploratory patch to add the plugin to for browser. Since I can test best on mac os, I started integrating it there.

Well, since I really don't know the build system, I'd greatly appreciate some feedback on how I integrated it and how it should be done instead.

@maintainers:

I've attached a patch - is that the preferred way or would you like to see it in a different way?

Trac:
Username: dwt

tor-browser-include-theme.patch

preliminary patch to theme Tor browser

Trac:
Username: dwt

Trac:
Username: dwt
Status: new to needs_review

Replying to dwt:

I created an exploratory patch to add the plugin to for browser. Since I can test best on mac os, I started integrating it there.

Well, since I really don't know the build system, I'd greatly appreciate some feedback on how I integrated it and how it should be done instead.

@maintainers:

I've attached a patch - is that the preferred way or would you like to see it in a different way?

The tor-browser-bundle bits look good to me. It seems you need to add your tor-browser-theme and tag to verify-tags.sh as well. And ideally you would make tags we could use and sign them with a key.

That said I am not a fan of having yet another dialog on start-up asking in this case about applying the theme or not. But I can imagine just shipping the theme and having it off by default. Users who feel the need to switch themes because they are using other browsers in parallel should be able to do this by switching a preference. Please make sure this theme is no fingerprintability vector. It should not be possible for web content to find out whether a users has a Tor Browser specific theme activated or not.

Trac:
Status: needs_review to new
Keywords: needs-triage deleted, N/A added

I took a look at the themes available at Mozilla Add-ons already as well. I especially like the green one.

I've updated the current iteration to conform to what the other plugins do to get build. See it at: https://github.com/dwt/tor-browser-bundle/tree/add_tor_browser_theme_plugin

Trac:
Username: dwt

if the argument of shoulder surfing is brought into consideration then the whole topic should be viewed from amuch broader perspective. -for example tab titles could easily rais suspicion even you dont view anything suspicious atm. -audio playback and system sounds should be disabled. -big images and text should be click or hover to view -animations and gnerally moving things uncounciously trigger people to look -there should be a button, mouse gesture and a shortcut to make the browser completely invisible (closing could tak too long on a busy machine and all your session would be gone on false alarm). -the torbutton and noscript icons should be hidden

there once was a browser called ghost fox for the purpose of shoulder browsing. it made everything greyscale and was able to place itself inside for example word. it wasnt carried out perfectly but i liked the idea. even though it could raise more suspicion than a normal browser if someone finds it there are cases in which this might be the better way.

Trac:
Username: elypter

Trac:
Username: cypherpunks_backup
Severity: N/A to Normal
Sponsor: N/A to N/A
Owner: erinn to tbb-team
Component: Tor bundles/installation to Tor Browser

A related issue is the application icon, as shown in the taskbar or GNOME shell, which is not the Tor Browser logo, as it really should be -- it's Firefox. Seems like incomplete rebranding. (this is on a Debian sid system)

Trac:
Username: ageisp0lis
Reviewer: N/A to N/A

I'd like to one of the experienced dev's to chime in here. I think the project is at the stage where the grunt work, that is, all the work on the firefox theming that is not related to the tor build system, is done. (And I'm currently out of motivation).

So, anybody willing to take this over and finish the integration?

Trac:
Username: dwt