[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] observation: Browser bundle & secure files deletion

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] observation: Browser bundle & secure files deletion
From: Robert Ransom <rransom.8774@xxxxxxxxx>
Date: Tue, 4 Oct 2011 21:38:06 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 04 Oct 2011 17:38:23 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=bGsWvPmdQPnxqWW7xVB9yePM7yyXkJOeh3L+1wGNfCM=; b=e8WhOZ62VMxY6F/mUCn3LFFkwOu8hf0CvTxcQfTG0sN4aCycoMta9ZWjH5c9CwXEH8 mw5GIVgzBHXXNT3CkpbgUBVDJ7g0IDspPLvcxYyT3weabsj/mKZOCSX2L8yKU1RKNli2 Rz9ZXwj1evGTtyJ0sPTaAa+oM1PyL1qYuHzU8=
In-reply-to: <4E8B09C6.5010109@xxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <4E8B09C6.5010109@xxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

On 2011-10-04, Joe Btfsplk <joebtfsplk@xxxxxxx> wrote:
> I've thought about TBB & it insecurely deleting files such as cache when
> closing TBB Firefox.  I assume this is what happens - I've investigated
> - a BIT - & seems that's what it does.

If you have evidence that TBB-Firefox stores sensitive information to
disk without a user asking it to, please file a bug report.  One of
the main design goals of Torbutton was to prevent Firefox from ever
writing sensitive information to disk (unless a user has specifically
asked it to, e.g. by changing Torbutton's configuration or adding a
bookmark to Firefox).  See section 1.2 of
https://www.torproject.org/torbutton/design/ .

>  *Is this correct?*

I can't tell because you didn't tell us what files you think
TBB-Firefox writes which contain sensitive information.

> If true, there's no opportunity to securely wipe the files, rather than
> them being insecurely deleted - unless I'm mistaken.  AFAIK, Tor has no
> secure wiping capability built in.

Neither Tor nor TBB attempts to securely erase files, because most
filesystems in use on most operating systems (and many modern storage
devices) make securely erasing files infeasible.

> Don't remember reading in documentation, either that users should be
> aware of this & take appropriate action, or that TBB already handles it
> securely.  Also, no mention of a list of files TBB deletes on shut down,
> that users might consider the possibility of data being recoverable.

TBB should never write sensitive information to disk.  TBB must assume
that it is safe to create and delete temporary files which do not
contain sensitive information within the TBB directory.

> If true, the only way to wipe any sensitive info (Ex.:  so a repressive
> gov't can't recover info from HDD), would be use a prgm to wipe free
> space on the partition containing TBB.  If it is installed on a flash
> drive, that could be wiped, but principal is still the same.

Programs that wipe free space are rarely able to wipe enough
information to be worthwhile.  Flash drives cannot be erased reliably
at all.

> Since many users install most everything to C:\ - esp. in Windows  (in
> TBB case, unzip to a folder), then wiping free space process on the OS
> partition - which MAY be the whole HDD for some users, ALWAYS involves
> some risk to file(s) corruption.  I've never had a disaster wiping free
> space, but forums like Eraser, CCleaner & others are full of posts about
> the process (apparently) severely damaging the OS.
>
> If my assumptions are correct,
> 1) Have TBB developers considered the issue of some deleted info from
> sessions, being recoverable?

We have.  That's why we try hard to not write sensitive information to disk.

> 2) Other than wiping free space, (which takes time) are there other
> suggestions for avg users to realistically deal w/ this?  It doesn't
> affect me so much, but in repressive countries, it may warrant
> consideration.

We assume that erasing data written to disk is impossible, because it
is infeasible on most filesystems and operating systems and many
storage devices.

> I'd think for users wanting to securely wipe free space, it'd be best to
> use TBB on flash drive or a small partition on HDD.  It's possible ? w/
> a proper list of files, the files in question MIGHT be securely deleted
> BEFORE closing TBB, but many wiping prgms would have problems wiping
> active files.  It probably can be done w/ enough knowledge & right
> tools, but most users aren't aware of steps needed, and would not
> regularly go to that trouble (or forget).

We assume that erasing data written to disk is impossible, because it
is infeasible on most filesystems and operating systems and many
storage devices.

Robert Ransom
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] observation: Browser bundle & secure files deletion
  - From: Joe Btfsplk

References:
- [tor-talk] observation: Browser bundle & secure files deletion
  - From: Joe Btfsplk

Prev by Author: [tor-talk] (no subject)
Next by Author: Re: [tor-talk] Tor Browser Bundle: PGP encryption built-in?
Previous by thread: Re: [tor-talk] observation: Browser bundle & secure files deletion
Next by thread: Re: [tor-talk] observation: Browser bundle & secure files deletion
Index(es):
- Author
- Thread