[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #6314 [TorBirdy]: prevent leak via Date header field (local timestamp disclosure)
#6314: prevent leak via Date header field (local timestamp disclosure)
--------------------------+----------------------
Reporter: tagnaq | Owner: ioerror
Type: defect | Status: new
Priority: major | Milestone:
Component: TorBirdy | Version:
Resolution: | Keywords: SponsorT
Actual Points: | Parent ID: #9131
Points: |
--------------------------+----------------------
Comment (by sukhbir):
Replying to [comment:11 saint]:
> @sukhbir How married are you to the idea of removing dates entirely?
Thunderbird doesn't parse dateless emails very well, as a rule, and even
if patched there are other clients that could respond poorly. Could
reasonably lead to people thinking that they haven't received a message
just by virtue of it being at the bottom of their mail queue.
I also personally think that removing the date entirely is not a good idea
-- it will likely break things and even if we it doesn't for the cases we
test with, getting such a patch accepted is going to be very difficult. If
you see the ticket on [https://bugzilla.mozilla.org/show_bug.cgi?id=902573
Bugzilla], I think the best option is:
> Keep the Date header and ensure it is in UTC (eg: allow some clock
disclosure but not time zone to
... and set hh:mm:ss to 00:00:00 or randomize it. Something along those
lines is better than removing the date completely.
BTW, just to publicize it, we have now proposed working on these patches
as a GSoC project. See
[https://www.torproject.org/getinvolved/volunteer.html.en#makeTorbirdyBetter
make TorBirdy better] :)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6314#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs