[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Towards a Torbutton for Thunderbird (torbutton-birdy)



Hi,

> I didn't see the Message ID as harmful, but I'm more than happy to be
> educated on this front. I do see the timezone leakage as a problem.

The Message-ID used by Thunderbird consists of two parts: the Unix
timestamp in hexadecimal format (which matches the time in the 'Date'
header) and a random number, the former being the reason why the
message-ID is considered 'harmful'. tagnaq's paper [0] discusses this
and proposes a time independent message-ID for Thunderbird.

[0] - https://trac.torproject.org/projects/tor/attachment/wiki/doc/TorifyHOWTO/EMail/Thunderbird/Thunderbird%2BTor.pdf

> had a look through Thunderbird's settings and can't see anything to
> indicate that this is stored within the settings so I imagine that this
> comes from system. If it's controlled through the environment then it
> may be able to be set before running, again maybe through a TBB style
> startup.

Yes, there is no way to change this using the configuration settings.
It is possible to do this by setting the 'TZ' environment variable
[1], however that introduces a new problem: Thunderbird then uses UTC
as the dates on emails also and this may confuse/ irritate the users.

We are currently working on the date and the message-ID issue.

[1] - https://www.torproject.org/torbutton/torbutton-faq.html.en#securityissues

> My only other immediate concern is how Thunderbird identifies itself to
> the SMTP server during the EHLO. Claws mail provides a dialogue to show
> what it's doing, and also allows you to specify what it is that is
> reported to the other end. I'm not sure what Thunderbird says, but it's
> likely that it is the local hostname.

This has been taken care of, 'mail.smtpserver.default.hello_argument'
is set to '127.0.0.1' to prevent hostname leaks.

Thanks for helping us test this out.

-- 
Sukhbir
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk