Are the security risks introduced by Vidalia-like tools worth it?

In #9366 (closed) we have concluded that as long as we run Vidalia (or anything similar, like Tor Monitor in the future) we must assume that a compromised amnesia user also means that the attacker has full access to Vidalia and hence Tor’s full circuit/connection state.

It seems we have two options:

Prefer security: uninstall Vidalia, scrap the Tor Monitor plans, and never enable the circuit view in the Tor Browser.

Prefer usability: keep Vidalia/Tor Monitor, and then we can also enable the circuit view in the Tor Browser.

(Secret third option: make this configurable in the Greeter… eh. :S)

Let the battle between security nerds and UX people begin!

Related issues

Related to #6841 (closed)
Related to #12213
Related to #9365

Original created by @anonym on 10339 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information