19:03:21 <GeKo> #startmeeting security settings redesign 19:03:21 <MeetBot> Meeting started Wed Nov 7 19:03:21 2018 UTC. The chair is GeKo. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:03:21 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 19:03:25 <GeKo> alright 19:03:39 <GeKo> antonela: do you want to summarize where we are right now? 19:03:47 <antonela> yep sure 19:03:52 <GeKo> and what open questions we still have and need to tackle? 19:04:14 <antonela> just in case, here is geko's proposal https://gitweb.torproject.org/tor-browser-spec.git/tree/proposals/101-security-controls-redesign.txt 19:04:49 <antonela> 2.1.1 Removing HTTPS Everywhere and NoScript from the Toolbar - OK 19:05:28 <antonela> 2.1.2 Showing Security Slider State - I made a proposal https://trac.torproject.org/projects/tor/ticket/25658#comment:48 19:05:47 <antonela> basically, we want to expose the status of the security setting at the main UI 19:06:05 <antonela> 2.1.3 Reorganizing the Toolbar - OK 19:06:08 <arthuredelstein> hi everyone! 19:06:20 <antonela> 2.2 Dealing with Per-Site Security Settings - here we come 19:06:46 <antonela> we should talk about it 19:07:03 <antonela> 3.x Restore Default Security Settings - is not in the proposal, but i suggested a user flow for it 19:07:26 <antonela> 2.1.2.X Change Security Level and Restart to Apply Changes - is not at the proposal, but i made a suggestion too 19:07:59 <antonela> so basically we need to talk about 1. all good with that icon? 2. per-site security settings 19:08:11 <antonela> GeKo please, jump if im missing anything 19:09:08 <antonela> i made a quick prototype to see how the icon opens the global settings -- https://marvelapp.com/a66fg97/screen/50052842 19:10:44 <mcs> R.e. the prototype, I did not realize that the newest thinking was that there would not be a toolbar dropdown. 19:11:10 <mcs> I liked it better with the dropdown. Directly opening about:preferences seems too abrupt somehow. 19:11:49 <antonela> mcs what should we have in the dropdown? the previous version included some description about what we are enabling and what not 19:12:10 <GeKo> antonela: what is the difference between safer and safest icon-wise? (i am looking at 25658-8.png) 19:12:19 <antonela> there is not 19:12:21 <mcs> antonela: yes, that kind of status information. 19:13:41 <GeKo> antonela: how do users see easily on which security level they are then? 19:15:14 <antonela> mcs https://share.riseup.net/#E24D-DsXdWxJ5Wn9ABhDTg this one 19:15:18 <GeKo> (+ i agree with mcs that we should avoid just color-coding the security level) 19:15:58 <mcs> antonela: yes, that is what I expected to see when I click the toolbar icon. 19:16:06 <mcs> s/click/clicked/ 19:16:34 <antonela> GeKo, do you want the doorhanger too? 19:20:06 <GeKo> so, doorhanger woul dmean it opens some thing informing users about the security state by including info about what it does and gives the optin to open something in about:preferences where users can select different levels? 19:20:35 <antonela> yes 19:20:41 <GeKo> (instead of just opening about:preferences directly) 19:20:44 <antonela> yes 19:20:55 <GeKo> i think i don't have a strong opinion here 19:21:09 <GeKo> i am fine starting either way and see how it goes 19:21:14 <antonela> which is the same information we will have in about:preferences#security 19:21:16 <antonela> about the difference between safer and safest, the security level behavior will change depending on how we will allow js or active content temporary, so i'm not sure if makes sense on having a different color/label for the two highest levels. If we have the door hanger, we could have more info there. 19:22:10 <GeKo> antonela: that's true that users change things but we are talking about the defaults 19:22:32 <GeKo> i mean if users think they should deviate from those, that's fine 19:22:40 <GeKo> but i don't think we should optimize for that case 19:22:42 <mcs> My argument for the doorhanger is that opening and dismissing a doorhanger is lower cost for the user. It also discourages people from messing around in about:preferences. 19:23:31 <GeKo> good point 19:24:36 <brade> I like the door hanger because it’s not as overwhelming as taking users directly to about:prefferences#security 19:24:52 <antonela> yes 19:24:59 <arthuredelstein> I think the idea of putting it in about#preferences was to emphasize that the security settings are global 19:25:00 <antonela> okey, lets go with the doorhanger 19:25:01 <pospeselr> +1 keeping users out of about preferences seems like a good idea 19:25:31 <arthuredelstein> ...and also to discourage users from changing the global settings too often 19:25:52 <brade> arthuredelstein: I don’t have a problem taking users there if they know that’s what they want 19:26:03 <GeKo> yes, you get both with the doorhanger, though 19:26:53 <arthuredelstein> and would the per-site settings be in the same doorhanger? Or in the identity box doorhanger? 19:26:55 <GeKo> fwiw: the button on the toolbar already indicates that this is a global thing 19:27:33 <antonela> arthuredelstein: ha! 19:27:34 <GeKo> i think we should follow firefox here and put that in the identity box 19:27:46 <antonela> yes, im with geko 19:27:55 <GeKo> where all the other permissions are dealt with 19:28:00 <mcs> +1 19:28:10 <antonela> and then we have https://marvelapp.com/a66fg97/screen/50052852 19:28:41 <arthuredelstein> That makes sense to me. I guess I'm thinking by analogy there is a "gear" icon in the Tracking Protection section of the identity box doorhanger. That takes the user to about:preferences for the global tracking settings 19:29:17 <arthuredelstein> (in Firefox) 19:30:03 <arthuredelstein> But maybe in this case it would open the other doorhanger? 19:30:15 <antonela> oh no 19:30:18 <GeKo> no 19:30:32 <antonela> the gear should keep the same behaviour, now in FF is going to about:preferences#privacy 19:30:54 <GeKo> when does the gear showing up? 19:31:05 <GeKo> because i can't see it right now 19:31:11 <antonela> always 19:31:15 <GeKo> no 19:31:30 <GeKo> i don't have it in my tor browser 19:31:32 <arthuredelstein> What I'm wondering is: if we have a section for per-site Security Permission in Tor Browser, do we want a gear icon to take the user to the global Security Settings? 19:31:40 <arthuredelstein> It doesn't exist in Tor Browser right now. 19:31:54 <arthuredelstein> But something to show the connection between per-site and global settings might be helpful 19:32:00 <antonela> FF63 - https://share.riseup.net/#FcwKCEU3N_rRcZ2CcRP7AQ 19:32:02 <arthuredelstein> Just as is done for Tracking Protection in Firefox 19:32:10 <mcs> Following Firefox’s lead to have a gear icon that takes users to the settings may make sense. 19:32:43 <arthuredelstein> (In antonela's screenshot, Content Block ~== Tracking Protection) 19:32:47 <GeKo> hm 19:32:57 <mcs> On the other hand, it could cause some confusion. 19:33:18 <mcs> e.g., temporary site-specific settings vs. global security level. 19:33:18 <GeKo> i wonder if we can cross that bridge when switching to esr68? 19:33:45 <GeKo> i mean it seems this "feature" is not in esr60 yet 19:34:26 <GeKo> arthuredelstein: what do you mean with "connecion between per-site and global settings"? 19:34:35 <GeKo> you have the icon for global setting on the toolbar 19:34:49 <GeKo> and if you are opening the identity box you see your permissions 19:35:02 <GeKo> as done in firefox 19:35:40 <arthuredelstein> Well, there is a relationship between the two things. When you adjust the per-site setting you are moving off the standard global setting. 19:35:59 <arthuredelstein> JavaScript is disabled, for example, because the global setting is "Safest". 19:36:46 <antonela> in that case so, the tor browser user is willing to make a video call in jitsi. Tor Browser is at one of the highest security level. Tor Browser will ask permissions for a camera, a micro and the security feature will offer to temporary allow js. 1. is that how will we deal with per-site settings 2. makes sense to have those 2 permissions under the same permissions category? 19:37:16 <arthuredelstein> They're not exactly the same kind of permission. One is a "privacy risk" and the other is a "security risk". 19:38:16 <GeKo> what is a "security risk" and "what is a privacy risk"? 19:38:53 <arthuredelstein> If you are on high security, then you are disabling javascript because it is a "security risk" (a risk of rce) 19:39:51 <arthuredelstein> But camera permission is unrelated to that. Firefox requires browsers to give camera permission because giving every website direct access to your camera without permission would be a privacy disaster. 19:40:04 <arthuredelstein> But not necessarily an rce risk. 19:40:32 <arthuredelstein> So it might be helpful to make this clear to users somehow. 19:41:15 <GeKo> well in the permissions section all sorts of permissions are grouped together 19:41:39 <antonela> content block *is* the new iteration of tracking protection > https://support.mozilla.org/en-US/kb/tracking-protection 19:41:56 <antonela> they have their own section at the control center for their new brand feature 19:42:37 <GeKo> hm, i think i lose some understanding how this relates to what we need to decide in this meeting 19:43:22 <GeKo> what is the issue here? 19:43:40 <GeKo> why can't we just show the permissions the user set as on antonela's mockup? 19:43:50 <antonela> we can! 19:43:59 <GeKo> great! 19:44:45 <GeKo> if we think users allowing things temporarily should get "notified" about that in the toolbar icon 19:44:51 <GeKo> we can think about it 19:45:05 <antonela> in FF for example, when they allow some thing temporary per site, they have this select 19:45:05 <antonela> https://share.riseup.net/#wMOphnuxCsY7RvGh0_hPvw 19:45:14 <GeKo> e.g. do we currently have a custom mode that kicks in once a user flips a preference governed by the slider 19:45:33 <antonela> yes, what i'm thinking is if we deserve our own space in that control center, not under permissions 19:46:16 <antonela> but hey, we can make this feature grow and think about it in next iterations, I'll be extremely happy if we have *some* per-site permissions to improve websites rendering 19:46:55 <GeKo> antonela: i am fine if we want to group slider related permissions in an own group 19:47:15 <GeKo> might be worth it and might make things clearer 19:47:17 <antonela> slider R.I.P - security permissions? 19:47:48 <GeKo> what do you mean? 19:48:19 <antonela> i mean if that group could be called "Security Permissions" or ? 19:49:40 <GeKo> hm 19:49:53 <mcs> The section could be called “Filtered Features” :) 19:50:27 <antonela> could be! 19:50:34 <mcs> More seriously, reusing “Permissions” could be confusing. 19:50:50 <mcs> (I don’t really like “feature filter” though) 19:51:10 <GeKo> antonela: what about not having a name for it but just a separator? 19:51:17 <antonela> i like it 19:51:23 <antonela> i'll try it, may works 19:51:23 <GeKo> to show that it is something different at least 19:51:41 <antonela> about per-site settings, just JS and Active Content is ok? i have some icons for those but i need to work a little more on them 19:53:22 <antonela> and then, do you think we could have a list of cases when we are going to suggest/allow temporary js and active content on the two highest levels? 19:53:36 * antonela needs to run in 4 minutes 19:54:20 <GeKo> antonela: i like arthur's idea for just exposing js and active content, yes 19:54:53 <GeKo> i think i don't understand the second question, could you rephrase? 19:55:36 <antonela> yes, when are the scenarios we are going to suggest/allow temporary permissions per-site? 19:55:41 <antonela> when/which 19:55:51 <GeKo> antonela: oh, and what about the icon concerns? 19:56:34 <antonela> exactly, i want to map/make mocks for each case, so if we are allowing js we should have js icon at the nav bar 19:56:57 <GeKo> antonela: i don't know yet because part of this iteration is fixing bugs on the behavior of the safer level e.g. that should make those suggestions not needed 19:57:08 <antonela> i see 19:58:07 <antonela> okey, so, I'll update tomorrow an updated mockup with the doorhanger and I'll work on those icons 19:58:33 <antonela> and could we meet again next week? 19:58:41 <GeKo> i am not sold yet to the idea of showing the permissions directly on the toolbar icon 19:58:54 <GeKo> i fear it might be too confusing 19:59:05 <antonela> yep, me either 19:59:05 <GeKo> but maybe it works, dunno 19:59:12 <GeKo> let's test it! 19:59:16 <antonela> this is why i want that list, to test it 19:59:17 <antonela> yes 19:59:32 <GeKo> well you don't need that list 19:59:48 <antonela> i don't, but i would like to see how it looks 19:59:56 <GeKo> just use the icon once the user sets the permission no matter what the reason is 20:00:30 <antonela> and then you are using jitsi, you blocked cam and phone and allowed js and you have 4 icons in your toolbar 20:00:37 <antonela> there are a lot of scenarios 20:00:49 <GeKo> well that scenario is a non issue :) 20:00:56 <antonela> ha 20:00:58 <GeKo> jitsi is not working in tor browser 20:01:04 <antonela> i know 20:01:11 <antonela> lets say youtube or whatever 20:01:18 <GeKo> but, sure, it gets comlicated quickly :) 20:01:22 <GeKo> *complicated 20:01:25 <antonela> yep 20:01:33 <GeKo> okay, yes, fine with me with meeting again next week 20:01:44 <antonela> perfect 20:01:48 <GeKo> i think we have the release meeting at this time, though 20:01:49 <antonela> geko we are close! 20:01:54 <GeKo> YES! 20:01:56 <antonela> jijij 20:01:57 <antonela> :D 20:02:00 <antonela> ineed to run 20:02:04 <antonela> thanks people! 20:02:15 <GeKo> okay, we'll figure out a time this week 20:02:19 <GeKo> o/ 20:02:24 <GeKo> thanks all! 20:02:29 <GeKo> #endmeeting