[tbb-bugs] #17367 [Tor Browser]: Swap files can contain evidence of browsing history

[Tor Bug Tracker & Wiki]

#17367: Swap files can contain evidence of browsing history
-----------------------------+--------------------------
 Reporter:  arthuredelstein  |          Owner:  tbb-team
     Type:  defect           |         Status:  new
 Priority:  Medium           |      Milestone:
Component:  Tor Browser      |        Version:
 Severity:  Normal           |     Resolution:
 Keywords:  tbb-disk-leak    |  Actual Points:
Parent ID:  #17208           |         Points:
  Sponsor:                   |
-----------------------------+--------------------------

Comment (by sharifolorin):

 Replying to [comment:1 yawning]:
 > On the U*IXes, you could `mlockall()` on process startup assuming that
 the system is configured to allow pinning sufficient memory (`ulimit -l`),
 but given how big the runtime footprint of Firefox is, that's probably a
 really bad idea.

 Is there a reason this would be any worse than just running without a swap
 partition (as TAILS does)?

 > The answer here IMO is: Either use encrypted swap (Vista and later
 support this on Windows, dunno about Darwin), use full disk encryption, or
 use Tails.

 Yep, though FDE on its own (e.g., encrypted LVM physical volume with a
 root LV and a swap LV) isn't enough for some relevant threat models (those
 in which the user can be forced physically or legally to provide the FDE
 key). Generating a fresh swap key in-memory on each boot would work; I
 believe OpenBSD does this by default, but I'm not sure about most Linux
 distributions/Windows/OS X.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17367#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online