[tbb-bugs] #8988 [Tor Browser]: Spotlight and mds may have indexed the Tor Browser Bundle

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Nov 12 08:40:25 UTC 2014

#8988: Spotlight and mds may have indexed the Tor Browser Bundle
     Reporter:  runa         |      Owner:  tbb-team
         Type:  defect       |     Status:  new
     Priority:  normal       |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:  tbb-disk-leak, needs-triage
Actual Points:               |  Parent ID:
       Points:               |

Comment (by teor):

 In order to prevent indexing of the TorBrowser dmg and app, we can add an
 empty file ".metadata_never_index" to the TorBrowser.app directory, and
 the root directory of the downloaded dmg file.

 See https://apple.stackexchange.com/questions/87090/how-to-add-folder-to-

 However, Spotlight will also index other items, including but not limited
 * External Drives
 * Downloaded Disk Image Files (we may be able to append ".noindex" to the
 ".dmg" file extension to fix this, but this could cause file type
 recognition issues)

 Can someone in the TBB team change the scripts to create the relevant
 ".metadata_never_index" files to the root of the disk image and
 TorBrowser.app directories?


 For completeness, and/or cleanup of previous traces.

 '''Exclusion Paths'''

 Spotlight has exclusion paths that can be set to prevent indexing of and
 delete indexes on certain folders. Unfortunately, we'd then have to worry
 about the exclusion path itself giving away Tor Browser.

   # Apparently, this doesn't change the UI in System Preferences
   # It may also not work at all
   sudo defaults write /.Spotlight-V100/Store-V1/Exclusions Exclusions
 -array-add <path>

 '''Deactivate Indexing'''

 A trace prevention approach is to turn indexing off before installing TBB,
 and turn in back on afterwards.

   sudo mdutil -i off /
   sudo mdutil -i off -a
   # Download, Use, and Remove Tor Browser
   sudo mdutil -i on /
   sudo mdutil -i on -a

 '''Reindex File Types After Removal'''

 Or, a more surgical trace removal approach is to re-index all files of the
 relevant types after using Tor Browser:

   # Use and Remove Tor Browser
   # Get the list of installed mdimport plugins
   sudo mdimport -L
   # Re-index at least these plugins
   sudo mdimport -r /System/Library/Spotlight/Application.mdimporter
   # If Tor Browser came on a disk image or archive file
   sudo mdimport -r /System/Library/Spotlight/Archives.mdimporter
   # If Tor Browser was downloaded in another browser
   sudo mdimport -r /System/Library/Spotlight/Bookmarks.mdimporter
   # If images within TorBrowser's "opaque" app directory have been indexed
   sudo mdimport -r /System/Library/Spotlight/Image.mdimporter

 '''Delete Indexes After Removal'''

 A more extreme, but also more secure trace removal approach is to erase
 the Spotlight indexes on the relevant volume(s) (or, alternately, all
 volumes) after removing Tor Browser. The indexes will then be rebuilt.

   # Use and Remove Tor Browser
   sudo mdutil -E /
   sudo mdutil -E -a

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8988#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list