[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-talk] Important Information for TorBirdy Users: OS upgrade (might) results in failure to mask timezone (observed on Fedora20-21 Qubes OS R2)
Hi,
this is a (pre) information for TorBirdy users (and their developers).
Bug Impact:
Outbound emails disclose the actual timezone in the "Date" header
(instead of using UTC regardless of actual OS timezone).
This reveals a sender's raw location and more importantly allows
attackers to link pseudonyms because the timezone in outbound emails
potentially changed at the same point in time for all used pseudonyms of
a single entity.
The root cause and affected systems of the problem is not
analyzed yet but I wanted to send this out as soon as possible
so people are aware of this problem and can avoid it until it gets
fixed.
Are you affected?
It has been observed on Qubes OS R2 default Fedora template after
changing from Fedora 20 to Fedora 21. It is not known whether this is
Qubes OS specific in any way.
You can easily check whether you are affected by going to your 'sent'
mail folder:
- select an email
- ctrl+u to see the source of the email
- search (ctrl+f) "Date:"
- if the line ends with +0000, timezone masking is working (if your OS
timezone is not +0000)
- if it shows anything else it is not working and you are probably
affected
(note: there is a TorBirdy setting to explicitly disable this
protection, of you opted-out than this is entire email is irrelevant to
you)
If you are affected please add information (your OS) to the bug tracker
to help debug this.
Trac ticket:
https://trac.torproject.org/projects/tor/ticket/16419
@TorProject: the 'cypherpunks' account is not working, could you enable
it agains so that people can use it?
Fix?
Not available yet, TorBirdy devs will certainly send out an information
once this is solved/analyzed.
This bug has been observed after upgrading from Fedora 20 to Fedora 21
on Qubes OS R2 (default templates) with Thunderbird 31.7.0 and TorBirdy
0.1.4.
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk