Re: [Tails-ux] Security by designation and Tor Browser

Delete this message

Reply to this message
Author: intrigeri
Date:  
To: Tails user experience & user interface design
Subject: Re: [Tails-ux] Security by designation and Tor Browser
Hi,

sajolida wrote (21 Sep 2015 09:52:17 GMT) :
> [Putting tails-dev in copy once as I'd like to have technical insights.]


... and dropping it since you said "once" :)

I'm glad you're interested in this topic! And I'm glad that people
writing papers are on it as well. I've not read the paper yet but
I definitely will, as that's something I've been following since
a couple years and am very excited about :)

> What would be better in terms of UX (and possibly better in terms of
> security as well) would be to have Tor Browser with strictly no access
> to personal files by default (not even these two folders) and infer from
> the user interactions (where to download, what to upload) on which files
> or folders to grant read or write permissions.


That's exactly what some GNOME people are working on (for the
"sandboxed apps" thing, with the "portal" concept iirc) and same on
the Ubuntu/AppArmor front (main usecase = the "click apps" for the
Ubuntu phone). I'm tracking their work and have been trying to keep
our design doc minimally up-to-date wrt. the progress they make:

https://tails.boum.org/contribute/design/application_isolation/
("User experience matters" section)

> What underlying technical limitations prevent us from doing something
> like this?


In theory: none.

In practice, right now: the software needed to mediate interaction
with the filesystem in that way is either non-existing or not mature
yet. I'm keeping an eye on it. I'd love it if someone tested the
current best free software implementations and reported back about
UX aspects.

> Would this imply a major change in the way GNOME interacts
> with application regarding browsing file?


Yes. It would need to access it by using an API over IPC to some other
process that itself has access to the actual files.

> Would this imply having dynamic AppArmor rules?


No need for dynamic AppArmor rules, just a privileged helper and
proper IPC.

> Is that possible at all?


That seems entirely possible and quite some work.

> See also the image in attachment.


That's exactly what the GNOME and Ubuntu people are working on, so
everybody seems to be on the same page -- now I want to read the paper
even more :)

Also see the recent updates I did on
https://tails.boum.org/blueprint/Linux_containers/ since the Subgraph
people have put a bit on thought into Oz and it achieves a slightly
better UX/security balance than what we're doing right now, at least
for Totem and Evince. For the Tor Browser I don't think their approach
would buy us much, though.

Cheers,
--
intrigeri