[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Vidalia error message with TorBirdy

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Vidalia error message with TorBirdy
From: Katya Titov <kattitov@xxxxxxxxxx>
Date: Fri, 5 Jul 2013 16:41:02 +1000
Authentication-results: smtp16.mail.yandex.net; dkim=pass header.i=@xxxxxxxxxx
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 05 Jul 2013 02:51:54 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail; t=1373006484; bh=oohtjpVT2urIzT5XN7RN84drIHJZeRYl0cCpFo+xnHI=; h=Date:From:To:Subject:Message-ID:In-Reply-To:References:X-Mailer: Mime-Version:Content-Type:Content-Transfer-Encoding; b=A0VvGcoQC/1pzGF2W8QDgiDyMxakJnMN8HLyQ+szlmRixJg/R8MJAW0q4uMCx1tJ/ pRDhBvvpHDoHgykKPf/tN4j45b0ehyhqXTZ1e2ThtPcN4HS/orv6JomDlmDikuSNjz XagUmU55LY72doZiCHiZeCGy18VSDyZXkjylFRmo=
In-reply-to: <51D476EA.3020102@xxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <51D345BB.6010606@xxxxxxxxxxxxxxxxxxxxxxxxxx> <20130702213553.GW31806@xxxxxxxxxxxxxx> <51D350D5.3000304@xxxxxxxxxxxxxxxxxxxxxxxxxx> <51D3E097.7050204@xxxxxxxxx> <51D476EA.3020102@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

anonymous coward:

> Karsten N.:
> 
>> Latest Thunderbird versions enforce STARTTLS if it was selected. The
>> weak option "Use STARTTLS if possible" is not available any more in
>> Thunderbird. You may use IMAP with STARTTLS, if your provider does
>> not offer IMAPS.
> 
> I changed to SSL/993 which should be fine now.
> 
> But, with the latest discussions about Prism and stuff, how much can
> you trust the CAs in web browsers and Thunderbird, after all? Do you
> think CAs are safe from NSA´s games? I would be surprised if they
> were.....

You can't really trust the CAs, at least not from state-level
attackers. And Prism seems to indicate that pretty much all traffic is
subject to recording (and later decryption?) by at least two
state-level attackers: US and UK.

> How does SSL work with Imap in general? When I first connect to the
> imap server it transmitts its certificate, right? Is the certificate
> then stored in Thunderbird or will the certificate transmitted again
> each time you connect to imap server? I think, if the cert gets saved
> in the mail client, it is _some_ protection against the man in the
> middle...!?

IMAPS works by ensuring that an SSL (encrypted) connection is made
before the IMAP connection is made, therefore guaranteeing encrypted
comms. All that is visible to an observer are the IPs and ports
involved, and some information about the crypto being used.

STARTTLS means that the IMAP connection is made first and then the
session is 'upgraded' to become encrypted. This leaves encryption in
the hands of the client and therefore the server can't enforce
encryption. If I understand Karsten's email correctly then Thunderbird
with TorBirdy now enforces the encryption from the client end via
STARTTLS: this is good!

The certificate will be cached in the client, however if the cert is
changed (e.g. MitMed) then the client will accept the new one as long
as it checks out through the regular checking processes. So a MitM
which doesn't involve coercing a CA (or otherwise getting a 'valid'
certificate) should result in Thunderbird throwing a warning, but a
MitM due to a coerced CA will look fine. There are plugins for Firefox
which alert you to a change in certificates, but I'm not aware of any
for Thunderbird.
-- 
kat
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Vidalia error message with TorBirdy
  - From: Douglas Lucas
- Re: [tor-talk] Vidalia error message with TorBirdy
  - From: Karsten N.

References:
- [tor-talk] Vidalia error message with TorBirdy
  - From: anonymous coward
- Re: [tor-talk] Vidalia error message with TorBirdy
  - From: Roger Dingledine
- Re: [tor-talk] Vidalia error message with TorBirdy
  - From: anonymous coward
- Re: [tor-talk] Vidalia error message with TorBirdy
  - From: Karsten N.
- Re: [tor-talk] Vidalia error message with TorBirdy
  - From: anonymous coward

Prev by Author: Re: [tor-talk] hidden services vulnerable to attacks?
Next by Author: Re: [tor-talk] Vidalia error message with TorBirdy
Previous by thread: Re: [tor-talk] Vidalia error message with TorBirdy
Next by thread: Re: [tor-talk] Vidalia error message with TorBirdy
Index(es):
- Author
- Thread