hi all,
I've read Runa's forensic analysis of the TBB (https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28...) and I'm currently redoing the analysis of the current TBB. I'm more or less following what runa did (plus ram dump/hibernation file), I was wondering if you have any suggestions, ideas or any other kind of input on the subject. I asked on #tor and they suggested to say something here.
jb
jack bloom:
hi all,
I've read Runa's forensic analysis of the TBB (https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28...) and I'm currently redoing the analysis of the current TBB. I'm more or less following what runa did (plus ram dump/hibernation file), I was wondering if you have any suggestions, ideas or any other kind of input on the subject. I asked on #tor and they suggested to say something here.
Refreshing this study will be very useful.
Three things come to mind immediately:
1. Please use Tor Browser 4.5a5, which should appear on the tor-qa list (https://lists.torproject.org/pipermail/tor-qa/) in the next day or two, and should be officially released on https://blog.torproject.org on Tuesday/Wednesday. Tor Browser 4.5-stable should be out in mid-April.
2. With respect to new features in 4.5 that may change disk leaks: the new .desktop launcher for Linux (https://trac.torproject.org/projects/tor/ticket/13375), the optional Windows shortcuts (https://trac.torproject.org/projects/tor/ticket/14688), and the Windows authenticode signatures (https://trac.torproject.org/projects/tor/ticket/3861) all may change disk records kept by the OS.
Since Runa did that report, we've also updated to a newer version of Firefox, which should have fixed several leaks in their Private Browsing Mode (which we use as a basis to prevent disk records of browsing activity). We've also added an updater, added Pluggable Transport support, removed Vidalia, and completely reorganized the bundles. Both Windows and Mac bundles were also changed to use NSIS and DMG packaging respectively, instead of zip files. There were quite a few more changes, as well.
3. You may want to have a look over https://trac.torproject.org/projects/tor/query?keywords=~tbb-disk-leak&s.... Those are the disk leaks we know about, and some of them might actually no longer apply. Information about leaks that no longer happen will be especially useful to help us triage that list and focus on what still happens. Any new issues you find should also be tagged with the tbb-disk-leak keyword. The most serious issues are ones that cause information about websites that have been visited to be leaked to disk.
Sent: Friday, March 27, 2015 at 10:03 PM From: "Mike Perry" mikeperry@torproject.org To: "discussion regarding Tor Browser Bundle development" tbb-dev@lists.torproject.org Subject: Re: [tbb-dev] TBB forensic analysis
jack bloom:
hi all,
I've read Runa's forensic analysis of the TBB (https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28...) and I'm currently redoing the analysis of the current TBB. I'm more or less following what runa did (plus ram dump/hibernation file), I was wondering if you have any suggestions, ideas or any other kind of input on the subject. I asked on #tor and they suggested to say something here.
Refreshing this study will be very useful.
Three things come to mind immediately:
- Please use Tor Browser 4.5a5, which should appear on the tor-qa list
(https://lists.torproject.org/pipermail/tor-qa/) in the next day or two, and should be officially released on https://blog.torproject.org on Tuesday/Wednesday. Tor Browser 4.5-stable should be out in mid-April.
At the moment I was using TBB version 4.0.4 but I will replicate what I did with the version you suggested. Actually using 4.5 makes much more sense, I didn't think of that before.
- With respect to new features in 4.5 that may change disk leaks: the
new .desktop launcher for Linux (https://trac.torproject.org/projects/tor/ticket/13375), the optional Windows shortcuts (https://trac.torproject.org/projects/tor/ticket/14688), and the Windows authenticode signatures (https://trac.torproject.org/projects/tor/ticket/3861) all may change disk records kept by the OS.
Since Runa did that report, we've also updated to a newer version of Firefox, which should have fixed several leaks in their Private Browsing Mode (which we use as a basis to prevent disk records of browsing activity). We've also added an updater, added Pluggable Transport support, removed Vidalia, and completely reorganized the bundles. Both Windows and Mac bundles were also changed to use NSIS and DMG packaging respectively, instead of zip files. There were quite a few more changes, as well.
- You may want to have a look over
https://trac.torproject.org/projects/tor/query?keywords=~tbb-disk-leak&s.... Those are the disk leaks we know about, and some of them might actually no longer apply. Information about leaks that no longer happen will be especially useful to help us triage that list and focus on what still happens. Any new issues you find should also be tagged with the tbb-disk-leak keyword. The most serious issues are ones that cause information about websites that have been visited to be leaked to disk.
This is really helpful, thank you for your reply. I hope to get back in touch with you soon, hopefully with some results.
Bye!
-
jack bloom -
jb
-
Mike Perry