[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #10836 [TorBirdy]: Enable mail account autoconfig dialog in TorBirdy



#10836: Enable mail account autoconfig dialog in TorBirdy
-----------------------------+-----------------
     Reporter:  ben          |      Owner:  ben
         Type:  enhancement  |     Status:  new
     Priority:  normal       |  Milestone:
    Component:  TorBirdy     |    Version:
   Resolution:               |   Keywords:
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+-----------------

Comment (by tagnaq):

 lunar, thanks for pointing that out.

 ben I see your point that (almost?) no ISP is serving their xml files via
 HTTPS (currently there is no point to do so since Thunderbird would not
 make use of it), but could we at least try HTTPS before falling back to
 HTTP instead of hard coding HTTP only? (The security benefit is probably
 questionable since this is vulnerable to downgrade attacks..)

 What do you think about merging (some?) of tails modifications to the
 autoconfig [1] code? (I haven't looked at the code but the design [1]
 matches the 'forceHTTPS' suggestion.)

 I guess
 mailnews.auto_config_ssl_only = true
 equals more or less to
 'fetchFromISP.enabled = false'
 since (almost?) no one is serving their xml files via HTTPS.

 If you are saying that not even 1% of users is affected by fetchISP, then
 'fetchFromISP.enabled = false' wouldn't hurt to many users I guess.
 bitmessage.ch users would be one of them though.

 For simplicity I wanted to have fetchISP do HTTPS requests or none at all
 ('fetchFromISP.enabled = false'), but I could also imagine insecure HTTP
 fetches if we impose restrictions on the acceptable hostnames for the
 mailservers. (TorBirdy - not Thunderbird - would take care of enforcing
 those restrictions - I hope that's possible.)

 Mailserver hostnames for the email address user@xxxxxxxxxxx would have to
 match *.example.com.
 If it doesn't match we fall back to manual configuration.
 I'm wondering how many email addresses would fail this test.. (all custom
 domains hosted at gmail?)

 If we allow insecure HTTP fetches with that restriction in place we would
 make use of ben's 'mailnews.auto_config.fetchFromISP.emailAddressEnabled =
 false' to avoid sending the user's email address in plaintext accross the
 wire.

 A successful attack would require a certificate for a hostname under the
 domain of the email address (since we only fetch/send emails via
 SSL/STARTTLS).


 I realized that autoconfig xml files can be used for more than just
 mailserver hostnames and ports/protocols, I'll look at it [2] in more
 detail to assess if that
 opens any new attack vectors. Ben, is [2] up to date?


 [2]
 https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat





 From tails "Modified autoconfig wizard" design paragraph at:
 [1] https://tails.boum.org/blueprint/Return_of_Icedove__63__/#index4h3

 > When probing a mail provider for an xml config, first try HTTPS, then
 http (old behaviour: http only).
 > Introduce a boolean pref called mailnews.auto_config_ssl_only (that has
 a checkbox in the
 > autoconfiguration wizard) that does the following when true:
 >    Only allow HTTPS when fetching xml configs from mail provider.
 >    Only allow HTTPS when fetching xml configs from Mozilla's database
 (luckily the default URL is using HTTPS).
 >    Don't check DNS MX records for mail configurations. This may need
 some rethinking for DNSSEC.
 >    Only accept fetched xml configs that use safe email protocols
 (SSL/TLS for SMTP/IMAP/POP).
 >    Only probe the mail server for safe protocols (SSL/TLS for
 SMTP/IMAP/POP).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10836#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs