Re: [Tails-ux] Security by designation and Tor Browser

Delete this message

Reply to this message
Author: sajolida
Date:  
To: Tails user experience & user interface design
Subject: Re: [Tails-ux] Security by designation and Tor Browser
intrigeri:
> Hi,
>
> sajolida wrote (21 Sep 2015 09:52:17 GMT) :
>> [Putting tails-dev in copy once as I'd like to have technical insights.]
>
> ... and dropping it since you said "once" :)
>
> I'm glad you're interested in this topic! And I'm glad that people
> writing papers are on it as well. I've not read the paper yet but
> I definitely will, as that's something I've been following since
> a couple years and am very excited about :)


I'm very glad to realize that you have been following similar efforts
already!

>> What would be better in terms of UX (and possibly better in terms of
>> security as well) would be to have Tor Browser with strictly no access
>> to personal files by default (not even these two folders) and infer from
>> the user interactions (where to download, what to upload) on which files
>> or folders to grant read or write permissions.
>
> That's exactly what some GNOME people are working on (for the
> "sandboxed apps" thing, with the "portal" concept iirc) and same on
> the Ubuntu/AppArmor front (main usecase = the "click apps" for the
> Ubuntu phone). I'm tracking their work and have been trying to keep
> our design doc minimally up-to-date wrt. the progress they make:
>
> https://tails.boum.org/contribute/design/application_isolation/
> ("User experience matters" section)


Cool, and in
https://mail.gnome.org/archives/gnome-os-list/2015-March/msg00010.html,
Alexander Larsson is mentioning the same idea (Implicit permission
grants from interactive operations) as "the one we need to focus on".

>> What underlying technical limitations prevent us from doing something
>> like this?
>
> In theory: none.
>
> In practice, right now: the software needed to mediate interaction
> with the filesystem in that way is either non-existing or not mature
> yet. I'm keeping an eye on it. I'd love it if someone tested the
> current best free software implementations and reported back about
> UX aspects.


I'm happy to test stuff but it seems to early on GNOME.

>> Would this imply a major change in the way GNOME interacts
>> with application regarding browsing file?
>
> Yes. It would need to access it by using an API over IPC to some other
> process that itself has access to the actual files.


Understood.

>> Would this imply having dynamic AppArmor rules?
>
> No need for dynamic AppArmor rules, just a privileged helper and
> proper IPC.
>
>> Is that possible at all?
>
> That seems entirely possible and quite some work.
>
>> See also the image in attachment.
>
> That's exactly what the GNOME and Ubuntu people are working on, so
> everybody seems to be on the same page -- now I want to read the paper
> even more :)
>
> Also see the recent updates I did on
> https://tails.boum.org/blueprint/Linux_containers/ since the Subgraph
> people have put a bit on thought into Oz and it achieves a slightly
> better UX/security balance than what we're doing right now, at least
> for Totem and Evince. For the Tor Browser I don't think their approach
> would buy us much, though.