#tor-meeting log

19:01:53 <asn> #startmeeting onion ux
19:01:53 <MeetBot> Meeting started Wed Dec  6 19:01:53 2017 UTC.  The chair is asn. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:01:53 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
19:01:57 <GeKo> what#s the state of your #21952 related proposal
19:02:05 <GeKo> ?
19:02:20 <asn> havent worked on it GeKo
19:02:23 <isabela> dgoulet: o/
19:02:31 <asn> since we moved that ticket to secondary priority
19:02:38 * isabela reads comments on #23247
19:02:38 <GeKo> ok, fine with me
19:02:45 <antonela> i made a quick mock to show the idea we talked about last meeting
19:02:46 <antonela> https://share.riseup.net/#WPhEbcL5oBr6NC1owD3mCQ
19:02:46 <asn> i considered we are gonna come back to that when time allows
19:02:47 <isabela> (sorry i need to catch up a bit)
19:02:59 <GeKo> i am basically with tjr on all he said on this ticket
19:02:59 * asn checks mockup
19:03:15 <isabela> antonela: i like that - but i think the button could be purple
19:03:16 <antonela> added to the pad not to the ticket
19:03:20 <isabela> but maybe is not nice :)
19:03:23 <isabela> your call
19:03:29 <armadev> i am in too many channels, but re 21952, i got convinced in montreal that something on the *client* side which auto redirects to an onion is just fine. i'm still scared of the website itself making the decision for me.
19:03:30 <tjr> GeKo: But you like a onion instead of a padlock, right?
19:03:37 <GeKo> yes
19:03:44 <asn> antonela: wow quite interesting!!!
19:04:00 <antonela> yes could be! im following Firefox's Photon Design System for this iterations
19:04:16 <asn> that looks nice, optional and non-UX-intrusive
19:04:18 <GeKo> i'd like to avoid messing with tls indicators
19:04:18 <antonela> maybe violet is too much, but we can try isa
19:04:19 <isabela> i just think the purple buttom will call more attention
19:04:24 <isabela> hehe
19:04:27 <antonela> agreed
19:04:28 <isabela> could be too much
19:04:32 <stephw> yes :) id like to see
19:04:33 <isabela> thanks for trying
19:04:51 <antonela> also, the text is just a placeholder, an approach, for sure we should review the words there
19:05:00 <isabela> or the font of the button and the learn more links be purple
19:05:04 <antonela> YES
19:05:06 <tjr> So the main thing I see with that bar is in the page, it is in the middle of page content. it would need to be above the nytimes nav bar; and the scrollbar of the page content would not include the bar
19:05:09 <isabela> as they are clickable
19:05:11 <GeKo> armadev: it could easily be the coded in the way that the client side is doing it
19:05:22 <tjr> but I think that's just minor stuff, not something you intended
19:05:25 <GeKo> e.g. by showing the user a notification box and asking it
19:05:56 <antonela> tjr: yes, is a browser component you scroll and it remains at the top
19:06:15 <tjr> There was an email by heddha on tor-dev about autoredirecting, they had built an extension for it
19:06:18 <isabela> tjr: these bars are normal tho, like when sites asks you to confirm your email (twitter has that and so fb)
19:06:34 <asn> this one: https://lists.torproject.org/pipermail/tor-dev/2017-December/012656.html
19:06:36 <antonela> http://design.firefox.com/photon/components/message-bars.html
19:06:37 <asn> (heddha ^)
19:06:41 <tjr> Sure, but that's a page bar, part of page content, we're building it as part of trusted browser chrome
19:06:47 <asn> seems to use SSL certs; haven't tested it.
19:07:07 <isabela> tjr: ahh you mean the site owner only can control it?
19:07:13 <antonela> ooohh
19:07:17 <isabela> ohhh
19:07:23 <tjr> isabela: the opposite kinda
19:07:46 <tjr> Browser chrome is essentially 'trusted UI a website can never spoof' that's where you put the padlock and anything important
19:07:57 <isabela> tjr: ahh sorry
19:08:02 <isabela> tjr: i am talking about the nytimes bar
19:08:02 <tjr> Anything in the page content can easily be spoofed by the page. (I'm not sure why a page would want to spoof this, but it's still a bad diea)
19:08:22 <armadev> right, keeping browser chrome separate from webpage is smart
19:08:31 <tjr> The tricky part is that it's really not that hard to spoof 'browser chrome' as part of a webpage :(
19:08:32 <armadev> (sorry for overloaded word 'chrome')
19:08:48 <arthuredelstein> antonela's notification bar is probably meant to be above the nytimes "World US Politics..." bar
19:08:52 <tjr> But I don't think we should be mixing things up further and making that an even harder problem
19:09:24 <tjr> arthuredelstein: Yea, I'm just pointing out a nit, but I wanted to make sure I was explaining myself coherently
19:09:29 <tjr> (I think I failed but...)
19:09:41 <isabela> arthuredelstein: yes i think so too
19:09:53 <arthuredelstein> But even if the notification bar is at the top, I suppose it could still be spoofed by content.
19:10:01 <isabela> tjr: i see what you mean, i think that the bar is what arthuredelstein mentioned
19:10:04 <arthuredelstein> We use the same kind of notification bar to warn users not to maximize the window.
19:10:09 <antonela> yes, arthur you are right!
19:10:12 <isabela> antonela: yes
19:10:13 <isabela> that one
19:10:15 <isabela> opes
19:10:16 <arthuredelstein> It's part of chrome and it pushes down the content page
19:10:17 <isabela> arthuredelstein:
19:10:20 <isabela> yes
19:10:23 <tjr> Regarding heedha's email - the interesting thing to me about their email was that it allowed redirection to take place before HTTP occured. That meant that any cookies or anything else would never be sent to the website.
19:10:25 <isabela> that is the bar we are thinking
19:10:39 <tjr> For TB that's not as big a concern though, the user won't have cookies.
19:11:01 <tjr> However the redirection was automatic, no chance to get the user to confirm without either sending HTTP or blocking page load
19:11:14 <antonela> sorry for the confusion! https://share.riseup.net/#Kq5Zijf6p3MuaxoT-26MXg is the right one
19:11:39 <asn> tjr: right
19:12:09 <asn> tjr: i guess doing it as part of SSL is a different design, with its own drawbacks and positives. probably a later step than a simple HTTP header i'd say
19:12:14 <asn> antonela: aha
19:13:03 <GeKo> asn: agreed
19:13:10 <isabela> ok, giving the bar behaves the right way (like TB does for screensizes) - asn still has to work on the proposal for the backend of this ?
19:13:33 <tjr> Yea, the main thing about SSL is there's no real opportunity for user confirmation. So if that's a sticking point, I think any SSL-based mechanism is off the table
19:13:36 <asn> yeah i guess since somehow #21952 became the topic now, it means i should prioritize the backend proposal
19:13:46 <asn> i think i can do the revisions within this week
19:14:16 <isabela> and antonela will play with the purple
19:14:18 <isabela> :)
19:14:19 <GeKo> sounds good. it'll be the first tor browser proposal i guess :)
19:14:21 <antonela> yes!
19:14:34 <asn> great
19:14:36 * antonela is adding this mock to the ticket
19:14:40 <asn> ok so i guess that's it for #21952?
19:14:42 <arthuredelstein> Another design for asking for user confirmation could be a doorhanger. The top of the doorhanger overlaps with the chrome area and can't be spoofed.
19:14:43 <isabela> antonela: maybe change the (i) for a little onion
19:14:43 <isabela> heheh
19:14:46 <isabela> anw!
19:14:51 <antonela> next move isa!
19:14:52 <antonela> haha
19:15:23 <antonela> asn: yes, it is
19:15:26 <asn> aight
19:15:29 <asn> so #23247 is next i guess
19:15:33 <isabela> yep
19:15:43 <isabela> sorry i havent organized the icons with copies etc
19:15:46 <asn> there are discussions to be had here both on from a security PoV and from a UX PoV
19:16:23 <GeKo> arthuredelstein: i think what works best could easily be done with some user studies
19:16:29 <asn> i havent done my homework very well either here
19:16:35 <GeKo> but, yes, there is not just the navigation bar
19:17:00 <asn> but it seems like debate on this ticket is currently about what kind of indicator should be on an HTTP onion with self-signed cert
19:17:15 <isabela> arthuredelstein: (i am not sure what is 'doorhanger')
19:17:26 <antonela> isa: http://design.firefox.com/photon/components/doorhangers.html
19:17:29 <asn> i *think* that antontela's mockups had a yellow onion, and tjr argued that this indicates a warning state
19:17:30 <isabela> tx
19:17:46 <antonela> yes, i made a couple of options using onions
19:17:50 <asn> and then tjr was flinging between having it be a grey onion, or a green onion
19:18:20 <arthuredelstein> GeKo: I simply meant a doorhanger could be useful if we are worried that content might spoof the notification bar. UX is of course also possibly an issue.
19:18:44 <isabela> (i think doorhanger will be used for .onion states and the circuit - might get too much if also used for redirecting the sites)
19:18:47 <tjr> The introduction of an onion icon has added a lot more possibilities
19:19:00 <isabela> tjr: yes!
19:20:12 <isabela> antonela: is the url in the ticket the last version?
19:20:16 <isabela> antonela: for the .onion states
19:20:18 <antonela> https://trac.torproject.org/projects/tor/attachment/ticket/23247/padlock%20states%20FF%20and%20TB.png
19:20:21 <isabela> tx
19:20:32 <tjr> I am attempting to reboot my outline in the pad
19:20:58 <asn> btw can anyone tell me what sort of person uses a self-signed cert on their onion?
19:21:10 <arthuredelstein> isabela: I just noticed that some folks at Mozilla are apparently trying to replace notification boxes with door hangers: https://wiki.mozilla.org/Firefox/Projects/Doorhanger_notifications/Notification_box_issues
19:21:16 <asn> under what kind of setup does it provide benefits?
19:21:21 <isabela> arthuredelstein: !
19:21:25 <antonela> arthur: yes they are!
19:22:15 <tjr> asn: Hm. Yea I'm not sure. it's much more likely they would serve a CA issued cert with no valid onion name
19:22:20 <arthuredelstein> They also mention the spoofing issue
19:22:24 <isabela> antonela: need to think on how all that will work (.onion states, circuit, onion site redirect notification inside of a door hanger)
19:22:24 <tjr> But there are a few people who hate CAs and just use self signed
19:22:37 <tjr> Also, actually, lots of Chinese websites use self-signed certs
19:23:19 <asn> tjr: but IIUC they do that to provide some sort of best-effort end-to-end encryption, which onions already providwe
19:23:36 <antonela> isabela: this is why we are here with devs lol
19:23:41 <asn> seems like SSL for onions is mainly for authentication purposes, and with no PKI (i.e. CAs) there is no auth?
19:24:00 <asn> im saying this things to argue that self-signed http onions should have grey onion
19:24:12 <asn> and then CA-signed http onioons should have green onion
19:24:19 <isabela> antonela: hehe
19:24:41 * asn gets educated about browser doorhangers
19:24:48 <tjr> asn what should http onion have?
19:25:06 <asn> grey onion
19:25:10 <antonela> i made an orange one, which seems warning BUT grey could work too
19:25:14 <asn> i.e. no benefit for self-signed cert
19:25:33 <antonela> official Firefox use of color -> http://design.firefox.com/photon/visuals/color.html
19:25:35 <asn> oh
19:25:47 * asn gets educated about official firefox use of color
19:25:50 <tjr> So the only complaint I have with that is that we are saying "a CA signed DV cert using the regular internet is more secure than an onionsite" - I don't think that's true :)
19:25:55 <isabela> asn: lots of rules :)
19:26:36 <antonela> we can break the rules of course, but just if it gives any benefit to users
19:26:41 <asn> purple for privacy. nice!
19:26:49 <antonela> YES
19:27:00 <isabela> yes!
19:27:05 <isabela> !!
19:27:06 <asn> tjr: hm
19:27:18 <asn> tjr: that's if you ignore the distinction between padlock and onion, right? :)
19:27:26 <asn> but i get your point
19:27:33 <tjr> I suppose, yes. I'm going primarily by color
19:27:36 <isabela> antonela: between gray and purple i would go with purple but for the other things i would use yellow and green
19:28:12 <asn> purple onion for self-signed or http, and green onion for CA SSL+onion ?
19:28:17 <antonela> yes exactly, this is an example of breaking rules. A violet onion will give us a clear brand presence
19:28:22 <tjr> FWIW I discovered there are more padlock states in FF than I thought.  There are: Green Padlock with EV Banner; Green Padlock; Green Padlock with a warning icon; Grey Padlock with a warning icon; Grey Padlock with a red strikethrough
19:28:27 <isabela> (going primary by color might mess things up for color blind ppl)
19:28:47 <GeKo> yeah, see richard's comment on the ticket
19:28:51 <antonela> yes
19:29:00 <tjr> isabela: Yes, that's true.
19:29:12 <antonela> so for critical situations like an untrusted onion we can have an specific icon
19:29:17 <antonela> not just a warning color
19:29:22 <tjr> I think we can solve the colorproblem though - adding a icon to the padlock indicates the status
19:29:24 <isabela> antonela: yes
19:29:31 <tjr> Take a look at the riseup pad in my section at the bottom
19:29:49 <tjr> I have examples of the FF icons (You may need to be using FF beta or release to see the nuances in them all)
19:30:14 <tjr> So adding a little triangle warning indicates warning, and adding a strikethrough indicates 'bad'
19:30:19 <isabela> i think i got those here too
19:30:20 <isabela> https://docs.google.com/document/d/1KHkj2DpmFMB0mjHEfehD5ztY2L0lQzKNtZqct1TXbmg/edit
19:30:30 <isabela> but i have less
19:30:31 <isabela> hehe
19:30:58 <tjr> You're only missing the EV Banner one and the *very* weird green+warning one
19:31:50 <isabela> yep i will fix all that
19:32:01 <isabela> and update with all FF states and the ones antonela is doing
19:32:10 <antonela> yes!
19:32:51 <asn> tjr: i think after our analysis, we have ended up with 2-3 different schemes for the colors
19:33:09 <asn> tjr: perhaps we should explicitly list these different schemes, and detail their positives/negativesa?
19:33:16 <isabela> yes
19:33:18 <asn> to help us decide which one is better for us? (since there is no best)
19:33:18 <isabela> i would like that
19:33:29 <antonela> yes!
19:33:58 <asn> i dont think we should do this now, but i think we can easily do it before next mtng or whatever
19:34:50 <isabela> yes
19:34:57 <isabela> just ping us when its there
19:35:04 <isabela> i think that will help me and antonela a lot
19:35:09 <antonela> we will update the spreadsheet with all the different behaviours so we can review each of them next week
19:35:09 <asn> noted
19:35:11 <antonela> yes
19:35:18 <tjr> Okay so I think the two things I am stuck on are:
19:35:35 <tjr> 1) Would we ever want to show a padlock and an onion like richard's screenshot?
19:35:59 <tjr> 2) asn's idea that HTTP and self-signed onions should be 'grey' while ca-signed onions should be 'green'
19:36:35 <asn> hm
19:36:40 <asn> if we do (1) we open a whole new world of possibilitiesw
19:36:52 <asn> (onion denotes onion service status, padlock denotes ssl status)
19:36:53 <isabela> i think we will end up doing both right?
19:36:57 <isabela> like color and icons mixed up
19:36:59 <isabela> to pass the msg
19:37:10 <antonela> tjr: 1) I would prefer we don't ->  [i] [onion] or [i] [padlock]
19:37:28 <tjr> I would also prefer we don't put two icons.
19:37:35 <isabela> no
19:37:38 <isabela> not two icons
19:37:43 <asn> ok great
19:37:46 <isabela> i thought it was more like
19:37:48 <asn> seems like we have consenss here
19:38:00 <antonela> [i] [onion] [padlock] isn't confusing?
19:38:00 <antonela> +1
19:38:01 <isabela> the Onion with a little padlock on it or something, as a single icon
19:38:22 <isabela> because of the whole going only by color - messing color blind folks
19:38:38 <asn> tjr: wrt (2) i suggested that because my understanding is that the alternative (self-signed onion and ca-signed onion both 'green') is also problematic
19:38:42 <isabela> s/messing/confusing
19:38:50 <antonela> isa: http://design.firefox.com/icons/viewer/
19:38:50 <asn> tjr: i think to resolve (2) we need to go over the possibilities and write positives/negatives
19:39:07 <antonela> check the permissions set. Critical actions has an specific icon
19:39:29 <tjr> I documented the states (began documenting?) in the pad at the bottom
19:39:56 <isabela> antonela: i mean like how you have the onion with the yellow triangulo
19:40:08 <antonela> yes, we can explore that
19:40:16 <isabela> antonela: onion with a little padlock like that
19:40:21 <antonela> yes yes
19:40:28 <isabela> cool
19:40:29 <isabela> :)
19:42:53 <asn> ok guys i need to get out in a bit
19:42:56 <asn> should we summarize?
19:43:32 <isabela> i would say, if you can get the rhaps we should explicitly list these different schemes, and detail their positives/negativesa?
19:43:39 <isabela> sorry
19:43:43 <isabela> bad pasting
19:43:46 <isabela> but
19:43:51 <isabela> 1. list of different schemes
19:43:56 <isabela> 2. update google doc
19:44:07 <isabela> 3. anto will play with different representations
19:44:14 <isabela> that is for this ticket
19:44:17 <asn> [4. asn works on #21952 backend proposal]
19:44:20 <isabela> yes
19:44:24 <asn> ok sounds good
19:44:26 <asn> that seems reasonable to me
19:44:33 <antonela> circuits are not here today?
19:44:43 <GeKo> ?
19:44:49 <antonela> this one #24309
19:44:57 <GeKo> no, not today
19:44:57 <isabela> no :)
19:45:00 <antonela> oh cool
19:45:00 <asn> hm thats not even on the pad?
19:45:15 <isabela> that is more GeKo and arthuredelstein
19:45:18 <asn> ack
19:45:18 <isabela> but we can do it next week
19:45:19 <isabela> :)
19:45:21 <asn> ok great
19:45:26 <asn> next meeting next week or next next week?
19:45:35 <asn> (too much nexting)
19:45:42 <isabela> i mean, me and antonela can follow up with TB another time
19:45:43 <isabela> on that one
19:45:47 <isabela> hehehe
19:45:58 <antonela> yes :)
19:46:08 <GeKo> asn: next week a bunch of people are at the all hands meeting
19:46:34 <asn> ok so let's do two weeks from now
19:46:36 <GeKo> thus, guess next nexet might be better although i will already be traveling
19:46:52 <GeKo> (christmas stuff)
19:47:41 <asn> hm ok
19:47:47 <asn> if u cant do it that day geko, maybe send mail to thread?
19:47:53 <isabela> we can pick another week day
19:47:57 <asn> i doubt we can find a better date right now
19:48:08 <isabela> yeah
19:48:11 <isabela> we can do via email
19:48:13 <isabela> doodle etc
19:48:21 <asn> yes that always works great! (j/k)
19:48:25 <asn> ok ending the meeting!
19:48:26 <isabela> lol
19:48:27 <asn> #endmeeting