rolling Firefox back to 2.x

Dotan Cohen dotancohen at gmail.com
Wed Sep 3 07:52:53 UTC 2008 

2008/9/3 Nik N <niknot at gmail.com>:
> In order to get away from discussing what someone might know, not know
> or thinks he knows, lets concentrate on the technical issue:
>
> 1) What files in FF3 contain personal data that reveals browsing activity
> (other, of course, than intentionally and explicitly stored bookmarks)?

Don't risk it- shred the whole profile.

You can make a 'safe' profile with bookmarks that you do not worry
about analysis revealing. Then your shred script will copy the 'safe'
profile to the default profile, so that when you restart Firefox you
will have your safe profile back like new.

> 2) If the user, *for whatever reason* does not trust FF3 to reliably make
> such data, upon request via FF3 user interface, unreadable by simple
> software forensics, what are the consequences of shredding those files
> after each FF3 session using some external tool that the user trusts?

You lose the data. That's all. No matter how bad you bork your
profile, you won't be able to (on Linux at least) bork the Firefox
installation. You can always create a new profile and start from
scratch. If you really, really screw up (typo in script) then you
might bork your user profile.

> Answers which imply that such concerns are ill-founded are not
> helpful - through a process that this list discussion can't influence, the
> users involved have already decided that FF3 could not be trusted to
> reliably operate as they desire.

If FF3 could not be trusted, then FF2 could not be trusted either. So
you will need a strategy for that browser too. Just let us know which
one you would prefer to use, and we will help devise a strategy. I am
of the opinion that you should simply shred the entire profile no
matter what browser you use.

> Likewise for answers that imply there
> are other elements that should be considered part of the threat model
> (for instance, network monitoring): users already know about those
> and have an appropriate defense strategy.

Very good.

Note that any advice you get here will refer to the default Firefox
installation only. Extensions can save data in other places (Scrapbook
and Vimperator come to mind), and even Firefox will save downloads
(but not cache) by default outside the profile folder. So if you want
to be super-secure, browse from a separate user account, and shred
that account when you are done. As with the Firefox profile, you can
have a 'safe account' copy that you copy in place of the shredded
account.

-- 
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

ä-ö-ü-ß-Ä-Ö-Ü

More information about the ubuntu-users mailing list