Opened 7 years ago

Closed 15 months ago

#5432 closed enhancement (wontfix)

Improve Panic Button/provide Wipe Button to wipe files and recommend purging with fire

Reported by: mikeperry Owned by: chiiph
Priority: Medium Milestone:
Component: Archived/Vidalia Version:
Severity: Normal Keywords: tbb-disk-leak, archived-closed-2018-07-04
Cc: mikeperry Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

For the TBB Panic Button in #4107, we decided against extensive efforts to wipe the TBB directory because it would be exceedingly difficult to do it correctly in the face of all adversaries.

However, this doesn't mean that in the happy future, we shouldn't make some attempt to wipe the contents of the TBB dir.

In the face of risk/reward vs time spent on wiping, I think the following OS-agnostic protocol is optimal:

  1. Overwrite each file with ONE PASS of 0's or pseudorandom stream.
  2. Rename each file to pseudorandom name
  3. Rename each directory to pseudorandom name
  4. rm -rf .

For any situation that requires more effort or time than this, we should recommend fire and/or acid. Perhaps we should even tell the user they should consider fire as a backup measure in a nice dialog before or after the wipe is complete.

Otherwise, this should be sufficient to deter a low-funded adversary with access to Norton Utilities Unerase and the like.

This mode probably should be a different option than the Panic Button, because even one pass of zeroes or psuedorandom data will take a while. In some situations (such as those that would require a Panic Button) you might not have that luxury.

Child Tickets

Change History (3)

comment:1 Changed 7 years ago by mikeperry

Keywords: tbb-disk-leak added
Summary: Improve Panic Button to wipe files and recommend purging with fireImprove Panic Button/provide Wipe Button to wipe files and recommend purging with fire

We should probably wipe the history and cookie files in the Firefox profile even during just a "Panic Button" pass. In particular, the following files are especially sensitive and should be wiped no matter what, if they exist (various Firefox options can enable them):

Data/profile/*.sqlite*
Data/profile/*.xml
Data/profile/*.db
Data/profile/weave/*
Data/profile/bookmark*

comment:2 Changed 22 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

comment:3 Changed 15 months ago by teor

Keywords: archived-closed-2018-07-04 added
Resolution: wontfix
Status: newclosed

Close all tickets in archived components

Note: See TracTickets for help on using tickets.