Re: [tor-talk] if browser remembers URLs visited before shutdown even during Never Remember History

2018-11-04 Thread Joe 
In general, Tor Browser doesn't write any history to disk - by design.  
If you look in about:config at settings whether to use disk cache, it 
should be set to false.

browser.cache.disk.enable;false
If you have enough RAM, you can do the same in regular Firefox. Allow 
enough memory to handle browsing. 
browser.cache.memory.max_entry_size;512000  or 100.


RAM's a whole lot faster than a disk - even SSDs.

There have been many problems through the yrs on not deleting cache, 
cookies, history - you name it - the way it was supposed to.
I set the clear history UI to clear everything but site preferences 
(cookie exceptions).


Mozilla has changed the Privacy & Security area even more in v63, so I 
wouldn't be surprised if there are more bugs.


I used to use addons to clear cache, history, because Fx didn't do it 
completely.  Maybe 3 letter agencies are demanding (or paying) that 
history not be cleared as advertised. There have always been privacy (& 
security) issues w/ all browsers that dragged on forever.  As far as we 
know, it's still no where near as bad as IE of old, where they hid at 
least one history file, as a system, hidden file(s).  But you couldn't 
search & find it - no matter what.  You had to KNOW the exact, long path 
to the file & enter that before you could delete it.


Ol' Bill's a big philanthropist now. n!m





On 9/25/18 8:33 PM, Nick Levinson wrote:
On Tuesday, September 25, 2018, 2:01:04 AM EDT, Joe 
 wrote:

> * * * * *
> Is the claim that Firefox (vs. TorBrowser, based on Firefox esr 
version) stores visited URLs in places.sqlite regardless of settings 
under > Privacy & Security?
> The subject of this message is confusing.  Is it asking the 
question, "does browser remember URLs..."?

> Or telling us, "browser does remember URLs..."?
>
> You said it's years old.  I doubt that would've slipped by Tor 
Project & all users for years.

> Where is the data claimed to be stored?
>
> The title sound like, "if Firefox remembers URLs visited before 
shutdown, then they won't be deleted, even if that's checked under 
Clear > History.
> If I understand you & the subject, the claim is that even when 
"Never Remember History" is checked, it is remembering visited URLs 
*during* that session, but deletes them when the browser is closed, or 
if "Clear History" is used during the session?

>
> However, if "remember browsing and download history" is checked AND 
you DON'T have "Always Use Private Browsing Mode", TBB will > remember 
history during the session, but not after shutdown.

>
> As far as I've ever seen, TBB deletes any history of any type, 
whether you have "clear history" settings checked, or not.  That's by 
design.

>
> How is it a security leak?  During a session, are sites supposedly 
able to tell which sites you visited, directly or indirectly?

>
> There was a bug in Fx many, many yrs ago - where sites could make a 
query of some type & determine if sites had been visited.  AFAIK, that 
was fixed long ago.

> During that period, users couldn't have visited links change colors.

It's about Tor, but I'll explain as if Tor is based on Firefox by 
describing the Firefox problem. Suppose it's set to Remember History. 
I visit example.com. Firefox remembers the URL. So far, no problem. 
Then I change Remember History to Never Remember History. I have no 
idea that it's still remembering example.com. Someone inspecting my 
computer can see that I visited example.com when I think they can't 
see any history. That's a security leak.


One could argue why I'd let anyone inspect my computer. However, Never 
Remember History is offered for a reason, probably as protection 
against anyone inspecting my computer.


The URLs are definitely stored somewhere. I proved that. Which file 
it's in, I don't know. It's stored somewhere available after powering 
down and powering up, i.e., through a cold boot. I tried identifying 
the exact location but failed. But it's somewhere there. I tested 
without networking or a removable (flash) drive 
(https://bugzilla.mozilla.org/show_bug.cgi?id=1476152#c10). Therefore, 
it had to have been stored on my local hard drive.


The complaint for Firefox is years old. It still has not been solved 
for Firefox. Thus, unless Tor people monitor most unpatched Firefox 
complaints (and there are many and most of them are unimportant), Tor 
people could have missed this one. A wontfix or invalid for Firefox 
might not be a decision appropriate for Tor.


Users could easily miss it for years. The user interface says Never 
Remember History. The meaning is unambiguous. The problem is that the 
UI's meaning does not reflect the programming inside Firefox. Most 
users would never test the truth of any UI. They would trust the UI. 
Therefore, in this case, most users would be misled.


The title was about Tor, albeit inspired by Firefox's problem. Firefox 
is definitely storing the URLs. If Tor uses the same design insofar as 
relevant, then Tor is also storing the

Re: [tor-talk] if browser remembers URLs visited before shutdown even during Never Remember History

2018-10-12 Thread Mirimir 
On 10/12/2018 01:47 PM, Nick Levinson wrote:
>> This is the use case for Tails. . . . [T]here are no writes to storage, 
>> unless users configure [otherwise] . . . .
> 
> One need not use Tails to use Tor (I used to sometimes use Tor and never used 
> Tails), so, while Tails may be a good idea, the question remains for Tor and 
> its security architecture when not using Tails.

Sure, but this isn't a _Tor_ issue. It's just about Tor browser, which
is just (heavily) modified Firefox. And although I'm no software expert,
I'm guessing that it's impossible to guarantee what some code will or
won't leave behind when it crashes. Even if you tweaked the browser to
never write temp files to disk, and keep everything in RAM, you couldn't
guarantee that the OS won't write stuff to disk.

That is, unless there _is_ no disk, as in Tails. Even with Whonix,
traces likely remain in the virtual disk. And sure, you can run Whonix
with virtual disks, which don't persist changes. But even then, who's to
say what might get left on the host. I'm less familiar with other
sandboxing options, but I suspect that there are similar issues.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] if browser remembers URLs visited before shutdown even during Never Remember History

2018-10-12 Thread bo0od 
add the updated tests , the wiki even accept anonymous edits.

you can discuss that openly in the forum of Whonix as well.

(though, i dont see much changes that would make Tor safer only through
the amnesic usage)

intrigeri:
> bo0od:
>> There is a full comparison of Tails and Whonix (persistent virtual OS)
>> can be found here:
>> https://www.whonix.org/wiki/Comparison_with_Others#Introduction
> 
> FTR the Tails part of that page is quite outdated.
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] if browser remembers URLs visited before shutdown even during Never Remember History

2018-10-12 Thread intrigeri 
bo0od:
> There is a full comparison of Tails and Whonix (persistent virtual OS)
> can be found here:
> https://www.whonix.org/wiki/Comparison_with_Others#Introduction

FTR the Tails part of that page is quite outdated.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] if browser remembers URLs visited before shutdown even during Never Remember History

2018-10-12 Thread bo0od 
Not really Tor is the best practice using it with amnesic system like
Tails due to the guards entry issue ..

There is a full comparison of Tails and Whonix (persistent virtual OS)
can be found here:

Clearnet Link:-

https://www.whonix.org/wiki/Comparison_with_Others#Introduction

Onion Link:-

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Comparison_with_Others#Introduction

Nick Levinson:
>> This is the use case for Tails. . . . [T]here are no writes to storage, 
>> unless users configure [otherwise] . . . .
> 
> One need not use Tails to use Tor (I used to sometimes use Tor and never used 
> Tails), so, while Tails may be a good idea, the question remains for Tor and 
> its security architecture when not using Tails.
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] if browser remembers URLs visited before shutdown even during Never Remember History

2018-10-05 Thread Mirimir 
On 10/05/2018 05:19 PM, Nick Levinson wrote:
> This replies to a September 26 post with the same title.



> It took some effort to find the bug in FF, it took some more effort
> to convince people at FF that data is persistently stored, and a FF
> derivative is being used in Tor, so I would not be surprised if no
> one reported the bug at Tor before my question last month. The
> discussion at FF was going on for years. So the open question for> Tor is not 
> whether it's unreported but whether Tor behaves
> differently, and you and I have narrowed it down to the difference
> between design and behavior at shutdown time and similar times. If
> you or someone else knows the answer to that question, please post
> accordingly.

This is the use case for Tails. It's a Debian live system with Tor
browser etc. So everything runs in RAM. And there are no writes to
storage, unless users configure encrypted USB storage. If you like, you
can run in a diskless machine. At shutdown, it explicitly wipes RAM, so
no traces remain. In case of a hard shutdown, data would remain in RAM
for a while, but would be gone within hours at most.

I'm not qualified to have opinions about other issues that you raise.


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] if browser remembers URLs visited before shutdown even during Never Remember History

2018-09-26 Thread Joe 
Sorry for this (one) top post - just wanted you & any others new to the 
Tor Browser & the whole family of software from Tor Project, not to be 
misinformed.


You cited a cookie or history issue in Firefox.  You expected Firefox 
history - accumulated during NON-private browsing, to be automatically 
cleared when (I assume) the private browsing session was ended or 
Firefox was closed.  That may or may not have anything to do with Tor 
Browser.


Firefox in Private Browsing, probably shouldn't pull data from earlier 
non-private browsing, but you can just uncheck the options under 
Preferences > Privacy & Security to stop any history from popping up in 
the address bar.  And you can check desired options to delete when 
clearing history.  TBB deletes all data in that list (if any exists), if 
the "clear history" items are checked or not, but the time frame may 
need to be "everything."  In Firefox, time span needs to be = 
Everything, or it may not clear all history.


Unless an equivalent bug was filed in Tor Project's bug system and 
accepted, https://trac.torproject.org, and that bug is still "unfixed," 
it's highly unlikely such a Tor Browser bug exists.  By design, Tor 
Browser doesn't save data to disk across sessions.  You can 
*intentionally* protect some cookies.


I've used TBB many times NOT in Private Browsing; entered a few cookie 
exceptions for sites that I knew required them.  The specific sites set 
session cookies.  In TBB "Clear History" settings, when time frame is = 
"Everything," TBB still cleared cookies whether cookies were checked or 
unchecked to clear after shutdown. Intentionally protecting individual 
cookies, under Tor Button is an entirely different matter.


Most important: in Tor Browser Bundle *(TBB)* - the "browser" part of 
the bundle IS absolutely THE Mozilla Firefox browser (TBB uses Firefox 
"esr" versions).  The Firefox version has been *EXTENSIVELY modified* to 
increase anonymity, hide real IP addresses, NOT to give up a lot of data 
(like typical browsers often do) that may / can allow web sites / 
hackers / and adversaries against privacy, to identify internet users by 
several different methods. Tor itself, isn't a web browser.  It helps 
the browser connect to the  Tor network (that's very over simplified).


2) Your comments still sounds like you're trying to use another browser 
besides Tor Browser with Tor, to access the Tor Network!

Or just asking if TBB behaves the same as Firefox?
TBB does not behave the same as the standard Firefox, in many ways.
Some links to explain TBB design: Torproject.org_FAQ - Noreply Wiki 
 ; The Design 
and Implementation of the Tor Browser [DRAFT] 



* Using any other browser than Tor Browser with Tor, hoping to gain the 
same anonymity, privacy, reduced fingerprinting as "Tor Browser Bundle" 
isn't a good idea, nor recommended.  Don't use another browser with Tor, 
unless for experimenting or testing, when anonymity isn't a concern.  
Countless modifications are made to the "base Firefox" to make "Tor 
Browser."  It's far easier, with better results to use TBB.




On 09/25/2018 08:33 PM, Nick Levinson wrote:
On Tuesday, September 25, 2018, 2:01:04 AM EDT, Joe 
 wrote:

> * * * * *
> Is the claim that Firefox (vs. TorBrowser, based on Firefox esr 
version) stores visited URLs in places.sqlite regardless of settings 
under > Privacy & Security?
> The subject of this message is confusing.  Is it asking the 
question, "does browser remember URLs..."?

> Or telling us, "browser does remember URLs..."?
>
> You said it's years old.  I doubt that would've slipped by Tor 
Project & all users for years.

> Where is the data claimed to be stored?
>
> The title sound like, "if Firefox remembers URLs visited before 
shutdown, then they won't be deleted, even if that's checked under 
Clear > History.
> If I understand you & the subject, the claim is that even when 
"Never Remember History" is checked, it is remembering visited URLs 
*during* that session, but deletes them when the browser is closed, or 
if "Clear History" is used during the session?

>
> However, if "remember browsing and download history" is checked AND 
you DON'T have "Always Use Private Browsing Mode", TBB will > remember 
history during the session, but not after shutdown.

>
> As far as I've ever seen, TBB deletes any history of any type, 
whether you have "clear history" settings checked, or not.  That's by 
design.

>
> How is it a security leak?  During a session, are sites supposedly 
able to tell which sites you visited, directly or indirectly?

>
> There was a bug in Fx many, many yrs ago - where sites could make a 
query of some type & determine if sites had been visited.  AFAIK, that 
was fixed long ago.

> During that period, users couldn't have visited links change colors.

It's about Tor, but I'll explain as if Tor is based on Firefox by

Re: [tor-talk] if browser remembers URLs visited before shutdown even during Never Remember History

2018-09-25 Thread Nick Levinson 
On Tuesday, September 25, 2018, 2:01:04 AM EDT, Joe  wrote: 
> * * * * *> Is the claim that Firefox (vs. TorBrowser, based on Firefox esr 
version) stores visited URLs in places.sqlite regardless of settings under > 
Privacy & Security? > The subject of this message is confusing.  Is it asking 
the question, "does browser remember URLs..."?
 > Or telling us, "browser does remember URLs..."?
 > 
> You said it's years old.  I doubt that would've slipped by Tor Project & all 
> users for years.
 > Where is the data claimed to be stored?
 > 
> The title sound like, "if Firefox remembers URLs visited before shutdown, 
> then they won't be deleted, even if that's checked under Clear > History.
 > If I understand you & the subject, the claim is that even when "Never 
 > Remember History" is checked, it is remembering visited URLs *during* that 
 > session, but deletes them when the browser is closed, or if "Clear History" 
 > is used during the session?
 > 
> However, if "remember browsing and download history" is checked AND you DON'T 
> have "Always Use Private Browsing Mode", TBB will > remember history during 
> the session, but not after shutdown. 
 > 
> As far as I've ever seen, TBB deletes any history of any type, whether you 
> have "clear history" settings checked, or not.  That's by design.
> 
> How is it a security leak?  During a session, are sites supposedly able to 
> tell which sites you visited, directly or indirectly?
 > 
> There was a bug in Fx many, many yrs ago - where sites could make a query of 
> some type & determine if sites had been visited.  AFAIK, that was fixed long 
> ago.
 > During that period, users couldn't have visited links change colors.
It's about Tor, but I'll explain as if Tor is based on Firefox by describing 
the Firefox problem. Suppose it's set to Remember History. I visit example.com. 
Firefox remembers the URL. So far, no problem. Then I change Remember History 
to Never Remember History. I have no idea that it's still remembering 
example.com. Someone inspecting my computer can see that I visited example.com 
when I think they can't see any history. That's a security leak.

One could argue why I'd let anyone inspect my computer. However, Never Remember 
History is offered for a reason, probably as protection against anyone 
inspecting my computer.
The URLs are definitely stored somewhere. I proved that. Which file it's in, I 
don't know. It's stored somewhere available after powering down and powering 
up, i.e., through a cold boot. I tried identifying the exact location but 
failed. But it's somewhere there. I tested without networking or a removable 
(flash) drive (https://bugzilla.mozilla.org/show_bug.cgi?id=1476152#c10). 
Therefore, it had to have been stored on my local hard drive.

The complaint for Firefox is years old. It still has not been solved for 
Firefox. Thus, unless Tor people monitor most unpatched Firefox complaints (and 
there are many and most of them are unimportant), Tor people could have missed 
this one. A wontfix or invalid for Firefox might not be a decision appropriate 
for Tor.
Users could easily miss it for years. The user interface says Never Remember 
History. The meaning is unambiguous. The problem is that the UI's meaning does 
not reflect the programming inside Firefox. Most users would never test the 
truth of any UI. They would trust the UI. Therefore, in this case, most users 
would be misled.

The title was about Tor, albeit inspired by Firefox's problem. Firefox is 
definitely storing the URLs. If Tor uses the same design insofar as relevant, 
then Tor is also storing the URLs.
Clear History is not the complaint's subject. As far as I know, Clear History 
works. However, Never Rememmber History implies that the history is being 
cleared just by selecting Never Remember History. If a user should apply 
another step, the UI should not make a sweeping overclaim or else it should 
explicitly tell the user to take that step.
   
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk