[tor-talk] observation: Browser bundle & secure files deletion

Joe Btfsplk joebtfsplk at gmx.com
Wed Oct 5 17:28:44 UTC 2011 

On 10/4/2011 4:38 PM, Robert Ransom wrote:
> On 2011-10-04, Joe Btfsplk<joebtfsplk at gmx.com>  wrote:
>> I've thought about TBB&  it insecurely deleting files such as cache when
>> closing TBB Firefox.  I assume this is what happens - I've investigated
>> - a BIT -&  seems that's what it does.
> If you have evidence that TBB-Firefox stores sensitive information to
> disk without a user asking it to, please file a bug report.  One of
> the main design goals of Torbutton was to prevent Firefox from ever
> writing sensitive information to disk (unless a user has specifically
> asked it to, e.g. by changing Torbutton's configuration or adding a
> bookmark to Firefox).  See section 1.2 of
> https://www.torproject.org/torbutton/design/ .
>
>>   *Is this correct?*
> I can't tell because you didn't tell us what files you think
> TBB-Firefox writes which contain sensitive information.
>
>> If true, there's no opportunity to securely wipe the files, rather than
>> them being insecurely deleted - unless I'm mistaken.  AFAIK, Tor has no
>> secure wiping capability built in.
> Neither Tor nor TBB attempts to securely erase files, because most
> filesystems in use on most operating systems (and many modern storage
> devices) make securely erasing files infeasible.
Robert, your points are well taken [repeatedly :) ].  You overlooked 
some possibilities or I wasn't clear.
  *One * example:  Using TBB, if no sites one wants to visit require 
cookies to operate correctly - or at all, that's fine.  But lots of 
sites won't work correctly w/o cookies.  The assumption is perhaps 
cookies from sites that might get someone in trouble, but is just as 
important to some users simply for privacy / anonymity.  If cookies must 
be allowed - even if only for a site - w/ default settings of "NOT to 
clear history when Aurora closes," in Aurora, then deleting those 
cookies - either thru Aurora "delete history" settings / UI or manually 
deleting the cookies file in the profile, won't securely delete them.

You're assuming users will never have to change (any) default setting in 
TBB to make sites  *work.*  If that were true, things would be much 
simpler.  I agree, using default settings is best, if possible.  Another 
assumption seems that all machines have enough RAM & CPU speed / power, 
to navigate / access some sites using Tor / TBB, and it not be 
excruciatingly slow (or impossible), w/o using cache.  Not everyone in 
the U.S., much less Iraq / Iran can afford a newer, faster machine.  It 
would be better if TBB users don't allow caching.  For older, slower 
machines, streaming political videos would be difficult w/o caching.  If 
they just "clear cache," it will be insecurely deleted.  Maybe they 
could d/l the file, but if they want to securely del it after (that 
doesn't concern TBB, per se), they need to use secure wiping.

I'm assuming the comment about infeasibility of securely erasing files 
on modern OSs, is based partly on 1) TBB being on same partition as the 
OS; 2) volume shadow service (Win) or similar is in use on the partition 
where TBB is running or files being stored (if any are).  Many users 
have only 1 partition - many don't.

I haven't read that that securely wiping * files or free space * on ANY 
partitions (meaning, none) can ever be effective, IF simple precautions 
are taken & simple instructions are followed  (esp. ones not involving 
the OS partition).  If you know of credible documentation that under NO 
circumstances, can data be securely & permanently deleted from any 
location on machines, I truly want to read it, because it will change 
some of my practices.  Like for certain financial files, medical 
records, letters to doctors, etc.

I think ? what you mentioned is one reason not to install TBB (or any 
other apps or store files) on OS partition, if want to securely & 
permanently del info.  Another option is to run apps in sandboxed 
environment.  That's why I don't store my vanilla Firefox profiles on 
C:\ w/ Windows.  Otherwise, if VSS is enabled, private data gets stored 
in it.

More information about the tor-talk mailing list