[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-talk] My solution to Tor Browser remember password bug
I've complained here before that the remember password feature in some
long previous versions of Tor Browser no longer works. I've accepted it
will likely never come back. So I've found the following solution. Maybe
it will also work for others, discussion welcome.
In summary, I've installed a password manager, which I've gotten to work
with the latest TBB, and also not compromise security.
Recall that I have been running TBB in a PGPdisk on-the-fly encrypted
partition, with a highly secure hard-to-guess passphrase. I have
confidence, absent the passphrase, that the NSA, FBI, KGB, etc. cannot
decrypt a PGP disk. It's not immune to "rubber-hose cryptanalysis,"
obtaining the passphrase via torture. Maybe also not black-bag
cryptanalysis or exploiting security holes in Windows XP or covert
installation of keyloggers, etc. Use of Truecrypt, with its hidden disk,
and stress passphrase, might address some of that. I have not gone there.
The password manager I chose was RoboForm. I first tried Kaspersky's
password manager, but could not find one that did not have all text in
Russian, so useless to me.
Roboform can be obtained legitimately at Roboform.com. It can also be
obtained for free, with a crack, at torrent sites.
Free versions of PGP do not support PGP disks, but PGP AKA Symantec
Encrypted Desktop, version 10.3.0 does, and also supports both Windows
XP and Windows 7. There are also free versions, with instructions on
registering it for free, thus activating features like PGP Disk,
available on torrent sites.
Roboform had one (to me) serious flaw, the password data location is
always located in Window's "My Document" folder, which I had not been
encrypting. I dealt with this by moving my PGD file to another partition
and enlarging it, then moving the old encrypted partition to the new
one, deleting the old partition, and assigning the same disk letter to
the new encrypted partition. Then I re-allocated the My Document folder
to a new directory in the new encrypted partition. To do this,
right-click on the My Documents icon on the desktop, then click
"Properties," then click "move" and select a location in a new folder on
the new encrypted partition. Now the Roboform password data is on My
Documents on an encrypted partition. The long passphrase need be entered
only after a re-boot or manual dismount of the encrypted partition.
Security between re-boots is provided by a moderately long passphrase to
unlock Windows from the screen saver, which is activated by inactivity.
Or Windows can be manually locked via the using 2 keys, the Windows logo
key present on most keyboards, then the letter L.
At present, Roboform does not install automatically on TBB, however it
can be manually activated by clicking on the Roboform logo in the task
area, clicking on browsers, then selecting the currently active TBB from
the list. A Roboform bar will appear in the browser, and Roboform will
prompt if you want to save the logon/password on any website where any
are present. Roboform will make up a name based on the URL, but this can
be renamed after the fact, and multiple logon entries can be organized
into folders. The password data can also be edited after the fact. Note
that if a Captcha is included in the logon, Roboform will save that
also. Since it's different for each logon, you would want to manually
remove that from the password entry.
Roboform supports automatically FireFox and Chrome outside of Tor. I've
found that the built-in password features of those browsers don't work
on more and more websites that attempt to force you to enter passwords
manually each logon.
Roboform attempts to provide some security for the password data by
prompting for creation/use of a "Master Password." But it will allow you
to create new logon entries without one. Just click cancel when prompted
for the master passphrase. It will then ask if you want to store the
data entry without one. Since the password data itself is on an
encrypted partition, you don't need another passphrase. I also store my
PGP keyrings on this encrypted partition, so my secret PGP keys don't
have passphrases either.
For future possibilities, both Truecrypt and PGP 10.3 support encrypting
the boot partition. PGP also supports encrypting disks with a PGP key,
rather than a passphrase. So if the keyring were moved to the boot disk,
and other encrypted partitions were changed from passphrase to PGP key
unlocking, this could stop bad guys at an even earlier stage, and
Truecrypt's stress passphrase and hidden volume feature could provide
added security in stress situations, such as passing through customs,
where I was threatened with confiscation of my laptop if I didn't
provide the passphrase to my encrypted partition. What I should have
done was disable the automatic prompt for the passphrase, possibly
rename the PGD files to something else, like random.dat, and the Customs
goon wouldn't have even known there was an encrypted partition. Of
course, this was all security theatre. If I had any really sensitive
information, I could encrypt it and email it to myself, then delete it
from the laptop.
An issue with encrypting the boot drive might be how to back it up. I
currently use Paragon disk backup to backup a disk image while XP is
running. I think that would not preserve the encryption, and I would
have to re-encrypt after a restore. I could use a bootable CD to backup
that partition, as I do now to restore it, but then it would also backup
the page files and compression wouldn't work, so much longer time and
space required. So I haven't gone there yet, and may not.
Again, any comments welcome.
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to