[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Important Information for TorBirdy Users: OS upgrade (might) results in failure to mask timezone (observed on Fedora20-21 Qubes OS R2)


this is a (pre) information for TorBirdy users (and their developers).

Bug Impact:
Outbound emails disclose the actual timezone in the "Date" header (instead of using UTC regardless of actual OS timezone). This reveals a sender's raw location and more importantly allows attackers to link pseudonyms because the timezone in outbound emails potentially changed at the same point in time for all used pseudonyms of a single entity.

The root cause and affected systems of the problem is not
analyzed yet but I wanted to send this out as soon as possible
so people are aware of this problem and can avoid it until it gets fixed.

Are you affected?
It has been observed on Qubes OS R2 default Fedora template after changing from Fedora 20 to Fedora 21. It is not known whether this is Qubes OS specific in any way.

You can easily check whether you are affected by going to your 'sent' mail folder:

- select an email
- ctrl+u to see the source of the email
- search (ctrl+f) "Date:"
- if the line ends with +0000, timezone masking is working (if your OS timezone is not +0000) - if it shows anything else it is not working and you are probably affected (note: there is a TorBirdy setting to explicitly disable this protection, of you opted-out than this is entire email is irrelevant to you)

If you are affected please add information (your OS) to the bug tracker to help debug this.

Trac ticket:

@TorProject: the 'cypherpunks' account is not working, could you enable it agains so that people can use it?

Not available yet, TorBirdy devs will certainly send out an information once this is solved/analyzed.

This bug has been observed after upgrading from Fedora 20 to Fedora 21 on Qubes OS R2 (default templates) with Thunderbird 31.7.0 and TorBirdy 0.1.4.
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to