On 10/4/2011 4:38 PM, Robert Ransom wrote:
On 2011-10-04, Joe Btfsplkjoebtfs...@gmx.com wrote:
I've thought about TBB it insecurely deleting files such as cache when
closing TBB Firefox. I assume this is what happens - I've investigated
- a BIT - seems that's what it does.
If you have evidence that TBB-Firefox stores sensitive information to
disk without a user asking it to, please file a bug report. One of
the main design goals of Torbutton was to prevent Firefox from ever
writing sensitive information to disk (unless a user has specifically
asked it to, e.g. by changing Torbutton's configuration or adding a
bookmark to Firefox). See section 1.2 of
https://www.torproject.org/torbutton/design/ .
*Is this correct?*
I can't tell because you didn't tell us what files you think
TBB-Firefox writes which contain sensitive information.
If true, there's no opportunity to securely wipe the files, rather than
them being insecurely deleted - unless I'm mistaken. AFAIK, Tor has no
secure wiping capability built in.
Neither Tor nor TBB attempts to securely erase files, because most
filesystems in use on most operating systems (and many modern storage
devices) make securely erasing files infeasible.
Robert, your points are well taken [repeatedly :) ]. You overlooked
some possibilities or I wasn't clear.
*One * example: Using TBB, if no sites one wants to visit require
cookies to operate correctly - or at all, that's fine. But lots of
sites won't work correctly w/o cookies. The assumption is perhaps
cookies from sites that might get someone in trouble, but is just as
important to some users simply for privacy / anonymity. If cookies must
be allowed - even if only for a site - w/ default settings of NOT to
clear history when Aurora closes, in Aurora, then deleting those
cookies - either thru Aurora delete history settings / UI or manually
deleting the cookies file in the profile, won't securely delete them.
You're assuming users will never have to change (any) default setting in
TBB to make sites *work.* If that were true, things would be much
simpler. I agree, using default settings is best, if possible. Another
assumption seems that all machines have enough RAM CPU speed / power,
to navigate / access some sites using Tor / TBB, and it not be
excruciatingly slow (or impossible), w/o using cache. Not everyone in
the U.S., much less Iraq / Iran can afford a newer, faster machine. It
would be better if TBB users don't allow caching. For older, slower
machines, streaming political videos would be difficult w/o caching. If
they just clear cache, it will be insecurely deleted. Maybe they
could d/l the file, but if they want to securely del it after (that
doesn't concern TBB, per se), they need to use secure wiping.
I'm assuming the comment about infeasibility of securely erasing files
on modern OSs, is based partly on 1) TBB being on same partition as the
OS; 2) volume shadow service (Win) or similar is in use on the partition
where TBB is running or files being stored (if any are). Many users
have only 1 partition - many don't.
I haven't read that that securely wiping * files or free space * on ANY
partitions (meaning, none) can ever be effective, IF simple precautions
are taken simple instructions are followed (esp. ones not involving
the OS partition). If you know of credible documentation that under NO
circumstances, can data be securely permanently deleted from any
location on machines, I truly want to read it, because it will change
some of my practices. Like for certain financial files, medical
records, letters to doctors, etc.
I think ? what you mentioned is one reason not to install TBB (or any
other apps or store files) on OS partition, if want to securely
permanently del info. Another option is to run apps in sandboxed
environment. That's why I don't store my vanilla Firefox profiles on
C:\ w/ Windows. Otherwise, if VSS is enabled, private data gets stored
in it.
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
