GNOME stores thumbnails in ~/.cache/thumbnails/, regardless of where the pictures are. Meaning pictures viewed on an encrypted or external drive leave a trail in your home folder. GNOME does not communicate this in any way to the user, and none of the 3 buttons to clear history in Settings > Privacy & Security delete thumbnails. Further, GNOME Disk utility's option on whether to save a password or not misleads users into thinking GNOME's security model respects defense-in-depth, when in reality they consider read-only access to a user's home folder to be game over, in contrast to web browsers giving easy ways to clear history or browse incognito.
In other words, everything exposed to the user, as well as their experience with common applications like web browsers, gives a false sense of security.
This was reported to Nautilus, and closed as not in their threat model. Then it was raised to the GNOME design board, but has been ignored for nearly 3 months now. I am hoping posting it here will raise some much needed attention, and at least make the 'Delete Temporary Files' button do what it promises.
As a mitigating control one can mount the thumbnails directory as tmpfs accepting that it can grow rather large so one must calculate what size to set that tmpfs mount. Also tmpfs is swap backed so one would have to disable disk based swap and use zram or just dont have swap if memory permits. Be sure to set the owner and group to that user or use autofs with variables.
As usual GNOME devs ignore the problem, because for them it's not a problem on their software, it's is the users are using their software in some wrong way.
I feel the modern systems are so complex, there will always be some record somewhere. Thumbnails are an extreme examples, but the filenames themselves can leak via LRU list, logs, history etc...
DwarvenEnemy|19 days ago
In other words, everything exposed to the user, as well as their experience with common applications like web browsers, gives a false sense of security.
This was reported to Nautilus, and closed as not in their threat model. Then it was raised to the GNOME design board, but has been ignored for nearly 3 months now. I am hoping posting it here will raise some much needed attention, and at least make the 'Delete Temporary Files' button do what it promises.
Bender|19 days ago
akagusu|19 days ago
cromka|19 days ago
winstonwinston|19 days ago
If file history features are a privacy threat then it should be disabled.
DwarvenEnemy|19 days ago
theamk|19 days ago
cromka|19 days ago