Re: [tor-talk] observation: Browser bundle secure files deletion
On 10/4/2011 4:38 PM, Robert Ransom wrote: On 2011-10-04, Joe Btfsplkjoebtfs...@gmx.com wrote: I've thought about TBB it insecurely deleting files such as cache when closing TBB Firefox. I assume this is what happens - I've investigated - a BIT - seems that's what it does. If you have evidence that TBB-Firefox stores sensitive information to disk without a user asking it to, please file a bug report. One of the main design goals of Torbutton was to prevent Firefox from ever writing sensitive information to disk (unless a user has specifically asked it to, e.g. by changing Torbutton's configuration or adding a bookmark to Firefox). See section 1.2 of https://www.torproject.org/torbutton/design/ . *Is this correct?* I can't tell because you didn't tell us what files you think TBB-Firefox writes which contain sensitive information. If true, there's no opportunity to securely wipe the files, rather than them being insecurely deleted - unless I'm mistaken. AFAIK, Tor has no secure wiping capability built in. Neither Tor nor TBB attempts to securely erase files, because most filesystems in use on most operating systems (and many modern storage devices) make securely erasing files infeasible. Robert, your points are well taken [repeatedly :) ]. You overlooked some possibilities or I wasn't clear. *One * example: Using TBB, if no sites one wants to visit require cookies to operate correctly - or at all, that's fine. But lots of sites won't work correctly w/o cookies. The assumption is perhaps cookies from sites that might get someone in trouble, but is just as important to some users simply for privacy / anonymity. If cookies must be allowed - even if only for a site - w/ default settings of NOT to clear history when Aurora closes, in Aurora, then deleting those cookies - either thru Aurora delete history settings / UI or manually deleting the cookies file in the profile, won't securely delete them. You're assuming users will never have to change (any) default setting in TBB to make sites *work.* If that were true, things would be much simpler. I agree, using default settings is best, if possible. Another assumption seems that all machines have enough RAM CPU speed / power, to navigate / access some sites using Tor / TBB, and it not be excruciatingly slow (or impossible), w/o using cache. Not everyone in the U.S., much less Iraq / Iran can afford a newer, faster machine. It would be better if TBB users don't allow caching. For older, slower machines, streaming political videos would be difficult w/o caching. If they just clear cache, it will be insecurely deleted. Maybe they could d/l the file, but if they want to securely del it after (that doesn't concern TBB, per se), they need to use secure wiping. I'm assuming the comment about infeasibility of securely erasing files on modern OSs, is based partly on 1) TBB being on same partition as the OS; 2) volume shadow service (Win) or similar is in use on the partition where TBB is running or files being stored (if any are). Many users have only 1 partition - many don't. I haven't read that that securely wiping * files or free space * on ANY partitions (meaning, none) can ever be effective, IF simple precautions are taken simple instructions are followed (esp. ones not involving the OS partition). If you know of credible documentation that under NO circumstances, can data be securely permanently deleted from any location on machines, I truly want to read it, because it will change some of my practices. Like for certain financial files, medical records, letters to doctors, etc. I think ? what you mentioned is one reason not to install TBB (or any other apps or store files) on OS partition, if want to securely permanently del info. Another option is to run apps in sandboxed environment. That's why I don't store my vanilla Firefox profiles on C:\ w/ Windows. Otherwise, if VSS is enabled, private data gets stored in it. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] observation: Browser bundle secure files deletion
On 10/4/2011 9:22 AM, Julian Yon wrote: On 04/10/11 15:00, Advrk Aplmrkt wrote: I had the exact same question about secure delete. Also, securing wiping the computer's memory is important, as sensitive data could be recovered from RAM even *after* power off... TAILS handles this: http://tails.boum.org/ Using TAILS may involve a compromise, as it seems to still be on FF 3.5, whereas TBB has moved on. Like any security issue you would have to make a decision based on your own threat model. Thanks to both. Advrk - Good point. I'm no pure expert, but seems I've read if computer is POWERED off for ? several minutes, most RAM will be cleared. Even if true, it's a bit inconvenient. IMO, the RAM issue doesn't have as much widespread potential impact as things like cache other files not being securely deleted. ** I see that default Cache Space in Aurora is set = 0. What about people w/ slower machines that REALLY need cache? Of those needing it, I'd guess a good number * need * to securely delete it, whether they're aware or not. Julian - TAILS handles what? Clearing RAM or securely deleting files in FF containing personal data? TAILS may be GREAT, but TBB users probably shouldn't have to rely on 3rd party apps to be secure (esp. in countries where using TBB, that the whole point of using it is (close to) complete anonymity therefore security. They probably shouldn't have to use a 3rd party wiping prgm. Leaving files behind w/ incriminating info (from a repressive gov'ts view) isn't secure or anonymous. Regarding deciding on your threat model - one of my points is, even many Tor / TBB users don't KNOW anything about secure / insecure deletion of certain files when TBB is closed. This could also involve Vidalia / Tor files in TBB. Some don't know what a threat model is. If we're assuming only advanced users should be using Tor / TBB, then everything's fine. I'm almost positive that's NOT the developers' assumption / position. I haven't investigated far enough yet to know what TBB / Aurora will do if under Options Privacy, you check the box: Clear history when Aurora closes, then UNcheck most of the items under the settings. Then after closing TBB, use a wiping prgm w/ pre configured task to wipe the files / folders you want. Again, avg users would have to be instructed - in plain language - not computer speak. A lot of users would * need help * knowing which files to delete that might contain personal / private data. Perhaps a list of all files potentially containing personal / private / browsing data could be listed - VERY PROMINENTLY - where all users would see it some instructions on how to securely delete them. Firefox no longer shows the Delete Private Data box at shutdown, but an addon Ask For Sanitize brings back that box, so one can see / change what's being (insecurely) deleted at shutdown. Or choose not to delete anything, then use a wiping prgm to del files. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] observation: Browser bundle secure files deletion
On 10/4/2011 2:20 PM, Julian Yon wrote: Generally it's polite to read the information you've been given before responding at length. As you have not, I don't see much point in continuing trying to help you. Sorry to have to put it like that, but I'm chronically ill and don't appreciate having my time and energy wasted. Julian I'm very sorry to hear that you're ill - so am I. I hope you get to feeling better, if not get over your illness. Best wishes, ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] observation: Browser bundle secure files deletion
On 2011-10-04, Joe Btfsplk joebtfs...@gmx.com wrote: I've thought about TBB it insecurely deleting files such as cache when closing TBB Firefox. I assume this is what happens - I've investigated - a BIT - seems that's what it does. If you have evidence that TBB-Firefox stores sensitive information to disk without a user asking it to, please file a bug report. One of the main design goals of Torbutton was to prevent Firefox from ever writing sensitive information to disk (unless a user has specifically asked it to, e.g. by changing Torbutton's configuration or adding a bookmark to Firefox). See section 1.2 of https://www.torproject.org/torbutton/design/ . *Is this correct?* I can't tell because you didn't tell us what files you think TBB-Firefox writes which contain sensitive information. If true, there's no opportunity to securely wipe the files, rather than them being insecurely deleted - unless I'm mistaken. AFAIK, Tor has no secure wiping capability built in. Neither Tor nor TBB attempts to securely erase files, because most filesystems in use on most operating systems (and many modern storage devices) make securely erasing files infeasible. Don't remember reading in documentation, either that users should be aware of this take appropriate action, or that TBB already handles it securely. Also, no mention of a list of files TBB deletes on shut down, that users might consider the possibility of data being recoverable. TBB should never write sensitive information to disk. TBB must assume that it is safe to create and delete temporary files which do not contain sensitive information within the TBB directory. If true, the only way to wipe any sensitive info (Ex.: so a repressive gov't can't recover info from HDD), would be use a prgm to wipe free space on the partition containing TBB. If it is installed on a flash drive, that could be wiped, but principal is still the same. Programs that wipe free space are rarely able to wipe enough information to be worthwhile. Flash drives cannot be erased reliably at all. Since many users install most everything to C:\ - esp. in Windows (in TBB case, unzip to a folder), then wiping free space process on the OS partition - which MAY be the whole HDD for some users, ALWAYS involves some risk to file(s) corruption. I've never had a disaster wiping free space, but forums like Eraser, CCleaner others are full of posts about the process (apparently) severely damaging the OS. If my assumptions are correct, 1) Have TBB developers considered the issue of some deleted info from sessions, being recoverable? We have. That's why we try hard to not write sensitive information to disk. 2) Other than wiping free space, (which takes time) are there other suggestions for avg users to realistically deal w/ this? It doesn't affect me so much, but in repressive countries, it may warrant consideration. We assume that erasing data written to disk is impossible, because it is infeasible on most filesystems and operating systems and many storage devices. I'd think for users wanting to securely wipe free space, it'd be best to use TBB on flash drive or a small partition on HDD. It's possible ? w/ a proper list of files, the files in question MIGHT be securely deleted BEFORE closing TBB, but many wiping prgms would have problems wiping active files. It probably can be done w/ enough knowledge right tools, but most users aren't aware of steps needed, and would not regularly go to that trouble (or forget). We assume that erasing data written to disk is impossible, because it is infeasible on most filesystems and operating systems and many storage devices. Robert Ransom ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk