[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Towards a Torbutton for Thunderbird (torbutton-birdy)

05/06/2012 03:57 PM, Jacob Appelbaum:
>> A few Tor hackers (Sukhbir, tagnar, myself, etc) are working on a 
>> plugin for Thunderbird that attempts to Torify it properly. The 
>> codename for now is 'torbutton-birdy' and it is based largely on 
>> the seminal analysis[-1] by tagnaq. Two core goals in addition to 
>> Torification is the integration with MixGUI[0] and of course 
>> Enigmail[1].

This sounds awesome! In Tails we have had plans to move to
Thunderbird/Icedove [1] for some time and this seems like a must have.

[1] https://tails.boum.org/todo/Return_of_Icedove__63__/

>> DNS and other connections leak during account creation (when 
>> Thunderbird
>>> is trying to work out how to connect), but after that I can 
>>> receive (IMAP w/STARTTLS, IMAPS) and send (Submission
>>> w/STARTTLS, SMTPS) without seeing any leaks, including no DNS
>>> leaks. I can also see the connections showing up in the Vidalia
>>> Network Map.
> These issues should be listed in the TODO file - I'm sorry to say 
> that Thunderbird and the Mozilla team seems to refuse to Do The
> Right Thing with the account setup wizard. The bugs on this topic are
> a depressing read - it's not really possible to override this and
> fail closed - which seems like an unreasonable stance...

In January I worked a bit on securing Thunderbird's autoconfiguration
wizard to make it suitable for Tails. What I did was the following:

* When probing a mail provider for an xml config, first try HTTPS,
  then http (old behaviour: http only).
* When using a fetched xml config, prefer using TLS/SSL over plaintext
  (old behaviour: use whatever is defined first in the xml file).
* Introduce a boolean pref called `mailnews.auto_config_ssl_only`
  (that has a checkbox in the autoconfiguration wizard) that does the
  following when true:
  - Only allow HTTPS when fetching xml configs from mail provider.
  - Only allow HTTPS when fetching xml configs from Mozilla's database
    (luckily the default URL is using HTTPS).
  - Don't check DNS MX records for mail configurations. (This may need
    some rethinking for DNSSEC.)
  - Only accept fetched xml configs that use safe email protocols
  - Only probe the mail server for safe email protocols (SSL/TLS for

These changes are implemented in the `secure_account_creation` branch
in a git repository that can be cloned as follow:

    git clone git://labs.riseup.net/tails_icedove.git

(Since the repo is huge (and there's no gitweb AFAIK) I also attached
the commits as git patches. This were written for Thunderbird 8, but I
know they apply cleanly to TB 10 as well.)

Comments on the above described approach (and the implementation) are of
course highly welcome.

The idea is to at least try to get this merged upstream (if not in
Mozilla, perhaps at least in Debian) in some form, otherwise we're
gonna ship an Icedove built from sources with these changes applied in

It's unclear to me if you've done (or plan to do) some work on the
autoconfig wizard  in torbutton-birdy. I'd appreciate if you could
elaborate on this.


Attachment: signature.asc
Description: OpenPGP digital signature

tor-talk mailing list