1
0
Fork 0
mirror of https://git.sr.ht/~seirdy/seirdy.one synced 2024-11-27 22:12:10 +00:00

Compare commits

...

2 commits

Author SHA1 Message Date
Rohan Kumar
b8a3c85a14
New note: intentional telemetry 2022-09-26 22:41:42 -07:00
Rohan Kumar
074cfd8a41
Fix torbutton source link
Torbutton security level settings have migrated into the Tor Browser, so
update the link to the source code accordingly.
2022-09-26 21:30:01 -07:00
6 changed files with 22 additions and 5 deletions

View file

@ -8,7 +8,7 @@ Firefox's multi-process architecture was overhauled, starting with a [utility pr
They've rolled out a separate GPU process on some platforms; the roll-out will likely finish this year. They've rolled out a separate GPU process on some platforms; the roll-out will likely finish this year.
Regarding toolchain hardening: Chromium official builds use [Clang's CFI sanitizer](https://clang.llvm.org/docs/ControlFlowIntegrity.html); Firefox doesn't. However, a subset of Firefox's libraries support [RLBox sandboxing](https://hacks.mozilla.org/2021/12/webassembly-and-back-again-fine-grained-sandboxing-in-firefox-95/). This isn't a complete solution, but is still a welcome change. [The Tor Browser disables libgraphite on the "safer" security level](https://gitweb.torproject.org/torbutton.git/tree/modules/security-prefs.js?id=c8f7cd3fec5d5845179fcf71ad46888f2d14c8b0) due to security concerns which RLBox may have addressed. Regarding toolchain hardening: Chromium official builds use [Clang's CFI sanitizer](https://clang.llvm.org/docs/ControlFlowIntegrity.html); Firefox doesn't. However, a subset of Firefox's libraries support [RLBox sandboxing](https://hacks.mozilla.org/2021/12/webassembly-and-back-again-fine-grained-sandboxing-in-firefox-95/). This isn't a complete solution, but is still a welcome change. [The Tor Browser disables libgraphite on the "safer" security level](https://gitweb.torproject.org/tor-browser.git/tree/browser/components/securitylevel/SecurityLevel.jsm?id=ffdf16f3e8a44b306abd988be874a184b7de1cc6#n273) due to security concerns which RLBox may have addressed.
I'm looking forward to seeing [PID namespace isolation](https://bugzilla.mozilla.org/show_bug.cgi?id=1151624) at some point. I'm looking forward to seeing [PID namespace isolation](https://bugzilla.mozilla.org/show_bug.cgi?id=1151624) at some point.

View file

@ -0,0 +1,17 @@
---
title: "Intentional telemetry"
date: 2022-09-26T22:41:33-07:00
replyURI: "https://dizl.de/@maze/109066602774324727"
replyTitle: "Well, what else do you need an analytics tool for than to find new insights?"
replyType: "SocialMediaPosting"
replyAuthor: "@maze@dizl.de"
replyAuthorURI: "https://dizl.de/@maze"
---
Compare the two scenarios:
Scenario A: "We received a piece of user feedback to change this design to avoid errors; their suggestion was well received by other users. Let's collect some telemetry from that component to see is these issues are representative of the larger population; based on that, we'll know whether it warrants a re-design of that component."
Scenario B: "Telemetry says users never use this feature; we can remove it."
In Scenario B, telemetry prompted a decision; in Scenario A, telemetry helped understand a real specific problem. Telemetry should be used to clarify an existing insight rather than make discoveries on its own. Metrics should not be collected lightly; they should be collected with intention (and, of course, prior informed consent).

View file

@ -192,7 +192,7 @@ That microblog entry was a response to another article from which this article b
6. Torbutton aims to allow many Tor Browser users to share the same configuration. 6. Torbutton aims to allow many Tor Browser users to share the same configuration.
=> https://tb-manual.torproject.org/security-settings/ Tor security settings => https://tb-manual.torproject.org/security-settings/ Tor security settings
=> https://gitweb.torproject.org/torbutton.git/tree/modules/security-prefs.js The preferences impacted by those security settings => https://gitweb.torproject.org/tor-browser.git/tree/browser/components/securitylevel/SecurityLevel.jsm?id=ffdf16f3e8a44b306abd988be874a184b7de1cc6#n273 The preferences impacted by those security settings
7. Users of metered connections may need to block large elements. Users with accessibility needs may need to alter inaccessible pages. Users who dont speak a pages language may need to use machine translation.[8] Telling users to just “stop doing this” would be arrogant, yet all three of these examples are fingerprintable. 7. Users of metered connections may need to block large elements. Users with accessibility needs may need to alter inaccessible pages. Users who dont speak a pages language may need to use machine translation.[8] Telling users to just “stop doing this” would be arrogant, yet all three of these examples are fingerprintable.

View file

@ -261,7 +261,7 @@ This article is an expansion of the ideas I presented in the microblog entry {{<
We could reduce the number of combinations by combining all the filter lists into a single list that gets updated all at once. When <var>N</var>=1, we're at just <var>V</var> possible combinations. Updates could be spread out over a longer cadence, decreasing the value of <var>V</var>. We could reduce the number of combinations by combining all the filter lists into a single list that gets updated all at once. When <var>N</var>=1, we're at just <var>V</var> possible combinations. Updates could be spread out over a longer cadence, decreasing the value of <var>V</var>.
[^6]: Torbutton aims to allow many Tor Browser users to share the same configuration. See its [security settings](https://tb-manual.torproject.org/security-settings/) and [the preferences they change](https://gitweb.torproject.org/torbutton.git/tree/modules/security-prefs.js). [^6]: Torbutton aims to allow many Tor Browser users to share the same configuration. See its [security settings](https://tb-manual.torproject.org/security-settings/) and [the preferences they change](https://gitweb.torproject.org/tor-browser.git/tree/browser/components/securitylevel/SecurityLevel.jsm?id=ffdf16f3e8a44b306abd988be874a184b7de1cc6#n273).
[^7]: Users of metered connections may need to block large elements. Users with accessibility needs may need to alter inaccessible pages. Users who don't speak a page's language may need to use machine translation.[^8] Telling users to just "stop doing this" would be arrogant, yet all three of these examples are fingerprintable. [^7]: Users of metered connections may need to block large elements. Users with accessibility needs may need to alter inaccessible pages. Users who don't speak a page's language may need to use machine translation.[^8] Telling users to just "stop doing this" would be arrogant, yet all three of these examples are fingerprintable.

View file

@ -439,7 +439,7 @@ Tor users are encouraged to set the Tor Browser's (TBB) security settings to "sa
=> https://tb-manual.torproject.org/en-US/security-settings/ TBB Security Settings => https://tb-manual.torproject.org/en-US/security-settings/ TBB Security Settings
This disables scripts, MathML, some fonts, SVG images, and other unsafe Firefox features: This disables scripts, MathML, some fonts, SVG images, and other unsafe Firefox features:
=> https://gitweb.torproject.org/torbutton.git/tree/modules/security-prefs.js Torbutton security-prefs source code => https://gitweb.torproject.org/tor-browser.git/tree/browser/components/securitylevel/SecurityLevel.jsm?id=ffdf16f3e8a44b306abd988be874a184b7de1cc6#n273 Tor Browser's source code for its security preferences
If your site has any SVG images, the Tor browser will download these just like Firefox would (to avoid fingerprinting) but will not render them. If your site has any SVG images, the Tor browser will download these just like Firefox would (to avoid fingerprinting) but will not render them.

View file

@ -483,7 +483,7 @@ Many people use Tor out of necessity. On Tor, additional constraints apply.
### Constraints of the Tor Browser ### Constraints of the Tor Browser
Tor users are encouraged to set the [Tor Browser's security settings](https://tb-manual.torproject.org/en-US/security-settings/) to "safest". This disables scripts, MathML, remote fonts, SVG images, and [other unsafe Firefox features](https://gitweb.torproject.org/torbutton.git/tree/modules/security-prefs.js). If your site has any SVG images, the Tor browser will download these just like Firefox would (to avoid fingerprinting) but will not render them. Tor users are encouraged to set the [Tor Browser's security settings](https://tb-manual.torproject.org/en-US/security-settings/) to "safest". This disables scripts, MathML, remote fonts, SVG images, and [other unsafe Firefox features](https://gitweb.torproject.org/tor-browser.git/tree/browser/components/securitylevel/SecurityLevel.jsm?id=ffdf16f3e8a44b306abd988be874a184b7de1cc6#n273). If your site has any SVG images, the Tor browser will download these just like Firefox would (to avoid fingerprinting) but will not render them.
If you must use scripts, ensure that they perform well with just-in-time (<abbr title="Just-In-Time">JIT</abbr>) compilation disabled. The Tor Browser's "safer" mode, iOS Lockdown mode, and Microsoft Edge's "enhanced" security mode all disable JIT compilation by default.[^15] If you must use scripts, ensure that they perform well with just-in-time (<abbr title="Just-In-Time">JIT</abbr>) compilation disabled. The Tor Browser's "safer" mode, iOS Lockdown mode, and Microsoft Edge's "enhanced" security mode all disable JIT compilation by default.[^15]