[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #6314 [TorBirdy]: prevent leak via Date header field (local timestamp disclosure)



#6314: prevent leak via Date header field (local timestamp disclosure)
--------------------------+----------------------
     Reporter:  tagnaq    |      Owner:  ioerror
         Type:  defect    |     Status:  new
     Priority:  major     |  Milestone:
    Component:  TorBirdy  |    Version:
   Resolution:            |   Keywords:  SponsorT
Actual Points:            |  Parent ID:  #9131
       Points:            |
--------------------------+----------------------

Comment (by sukhbir):

 Replying to [comment:11 saint]:
 > @sukhbir How married are you to the idea of removing dates entirely?
 Thunderbird doesn't parse dateless emails very well, as a rule, and even
 if patched there are other clients that could respond poorly.  Could
 reasonably lead to people thinking that they haven't received a message
 just by virtue of it being at the bottom of their mail queue.

 I also personally think that removing the date entirely is not a good idea
 -- it will likely break things and even if we it doesn't for the cases we
 test with, getting such a patch accepted is going to be very difficult. If
 you see the ticket on [https://bugzilla.mozilla.org/show_bug.cgi?id=902573
 Bugzilla], I think the best option is:

 > Keep the Date header and ensure it is in UTC (eg: allow some clock
 disclosure but not time zone to

 ... and set hh:mm:ss to 00:00:00 or randomize it. Something along those
 lines is better than removing the date completely.

 BTW, just to publicize it, we have now proposed working on these patches
 as a GSoC project. See
 [https://www.torproject.org/getinvolved/volunteer.html.en#makeTorbirdyBetter
 make TorBirdy better] :)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6314#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs