Concern about clipboard history security

[MisterE]

I was astonished  when I recently discovered how large my clipboard history folder had become. It was full of sensitive information and passwords that I don't want stored in plaintext on my HDD too. I wonder if there could be an option to purge clipboard history every time QS quits and/or launches?

Thank you very much.

--E

[Patrick Robertson]

Hi there,

There is already an option to clear the Quicksilver Clipboard history. Open up the Clipboard History panel, click the cog in the top right hand corner and click 'Clear'.

The storage of clipboard history on disk has been removed in the latest version of the plugin, and this will no longer happen.

Finally, if you do not want the clipboard history to pick up contents from certain applications (e.g. 1Password, Keychain etc.) then open up the Quicksilver preferences, click the 'Clipboard' tab (on the left hand side) and type the names of the applications you would like Quicksilver to ignore.

You can safely delete the clipboard folder in ~/Library/Application Support/Quicksilver without affecting Quicksilver.

-- You received this message because you are subscribed to the Google Groups Quicksilver group. To post to this group, send email to blacktree-...@googlegroups.com. To unsubscribe from this group, send email to blacktree-quicks...@googlegroups.com. For more options, visit this group at https://groups.google.com/d/forum/blacktree-quicksilver?hl=en

[MisterE]

Thank you for your detailed reply Patrick! No excuse for not looking into it more and RTFM before posting here for help. Sorry.

Best Regards,

--E

On Saturday, July 7, 2012 5:25:22 PM UTC+7, Patrick wrote:

Hi there,

<snip>

[MisterE]

Yep, turns out the plugin was way out of date. Isn't there a way to update all plugins from within the app?

I can't find it for the life of me.

Thanks again.

[MisterE]

I manually updated each plugin from the site. Some were 5+ years old!

[Patrick Robertson]

If you're running one of the later versions of Quicksilver (ß60+ I believe) just click the 'check now' button in the Quicksilver preferences. This checks for updates for the application and all the plugins

On 7 July 2012 12:12, MisterE <travel...@gmail.com> wrote:

I manually updated each plugin from the site. Some were 5+ years old!

-- You received this message because you are subscribed to the Google Groups Quicksilver group. To post to this group, send email to blacktree-...@googlegroups.com. To unsubscribe from this group, send email to blacktree-quicks...@googlegroups.com. For more options, visit this group at https://groups.google.com/d/forum/blacktree-quicksilver?hl=en

[Leveebreaks]

I have recently tried the clipboard plugin and I too was concerned about security and found this thread. I'm using the latest version (1.2.2) and it still saves the clipboard history to disk in ~/Library/Application Support/Quicksilver/Shelves/QSPasteboardHistory.qsshelf

I know that I can clear the history, but I assume that doesn't do a secure erase of QSPasteboardHistory.qsshelf? 

Yes, I have excluded applications such as 1Password but that doesn't affect the browser extensions. And I don't want to exclude all of Safari. 

Btw, what's the relation between the Clipboard plugin and the Shelf plugin? Only with Shelf plugin installed I get the Clipboard History catalog added. 

[Lucas Garron]

I also still find this an issue. I don't want the history going to disk, so I do the following (until I have time to poke into the plugin and fix it): https://gist.github.com/lgarron/2723882

»Lucas Garron

--

You received this message because you are subscribed to the Google Groups "Quicksilver" group.

To unsubscribe from this group and stop receiving emails from it, send an email to blacktree-quicks...@googlegroups.com.

To post to this group, send email to blacktree-...@googlegroups.com.

Visit this group at http://groups.google.com/group/blacktree-quicksilver?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Patrick Robertson]

Quicksilver needs to write to disk so that the clipboard history is available across relaunches. You're right it should probably be encrypted or something similar, but for the time being this isn't possible.

At the moment it's up to you to weigh the security risks with the difficulty of deleting the items manually/upon relaunch

[Lucas Garron]

... who says the history needs to be available across launches? I would *much* prefer the data to be cleared, even considering how often I restart Quicksilver for development.

»Lucas Garron

[Patrick Robertson]

> ... who says the history needs to be available across launches? I would *much* prefer the data to be cleared, even considering how often I restart Quicksilver for development.

Then I guess adding some kind of preference to the Quicksilver pane may well be useful for some people like you. I for one like it across relaunches :)

[MisterE]

I most definitely do not want to have this information retained in an unencrypted format on my hard disk. I would be much happier if it was stored in RAM and purged every time QS was restarted. I'm quite sure that the vast majority of users who use this feature would also agree if informed of the security implications. I use LastPass, a Chrome extension, to generate complex passwords and often copy and paste them. Imagine my horror when I saw everything I was trying to keep secure easily visible in plain text in a folder that had grown to several MBs in size. I'd even like to have an option to purge (secure delete) the clipboard history at a specified interval as I regularly go for days or even weeks without rebooting my computer

For now, I'm disabling the plugin and I have to check my Time Machine Backups even though those can not be deleted securely. :/

I'll add a TM exception for this folder as well in case I enable the plugin again in the future. I don't even want it backed up encrypted.

Thanks for listening and for all your hard work guys!

--E

[Rob McBroom]

On Apr 19, 2013, at 3:41 AM, MisterE <travel...@gmail.com> wrote:

I most definitely do not want to have this information retained in an unencrypted format on my hard disk. I would be much happier if it was stored in RAM and purged every time QS was restarted.

I think it’s pretty clear that a preference to preserve the history across relaunches (off by default) is the answer for 99% of us.

I use LastPass, a Chrome extension, to generate complex passwords and often copy and paste them.

OS X has very good drag-and-drop support, even between text fields. I tend to use that when I don’t want something in the clipboard. Pulling it into Quicksilver with ⌘⎋ and using the Type Text action would also keep it out of the clipboard.

-- 
Rob McBroom
<http://www.skurfer.com/>

[1.61803]

On Friday, April 19, 2013 3:38:57 AM UTC+2, Patrick wrote:

> ... who says the history needs to be available across launches? I would *much* prefer the data to be cleared, even considering how often I restart Quicksilver for development.

Then I guess adding some kind of preference to the Quicksilver pane may well be useful for some people like you. I for one like it across relaunches :)

An rc file would maintain changes between relaunches and updates, e.g. securely deleting QSPasteboardHistory or preserving settings deep nested in plugin's plists.

[Leveebreaks]

Thanks, that's a good solution for now