Hello everyone,
I'm in my final year of B.E in Electronics & Instrumentation Engineer and M.Sc in Mathematics from BITS Pilani, India. I was hoping to get a chance to work with the Tor community through this years GSOC. I was reading the projects list and was interested in contributing to the Torbirdy project as I have some experience in coding in Javascript.
I wanted to clarify my understanding of the current status of the project. The project requires resolving two issues related to location anonymity weakening due to local timestamp leakage specifically in the MessageID & Date header fields.
From reading issues #6314, #6315 mentioned and the patch requests submitted
for bugs #902573 and #902580 at bugzilla.mozilla.org, It seems that the current hold up by Mozilla to accepting the patch request are: 1. Establishing how well Thunderbird & other mail clients handle the date not being inserted by the sender in the mail header 2. Finding which MTA/MSA's automatically insert date headers on their own and if most/all don't, finding a workaround to that. Gmai, Mail.com, Gmx, Yandex and the now dead Lavabit had been tested successfully for automatic date header insertion 3. And using extension hooks with explicit calls instead of checking user set configurations flags for removing timestamp data from header. This it's suggested will allow better handling of messages received/sent in the background by Thunderbird.
If someone can let me know if this is the current status of the project or if there are some details I'm missing or even if I've completely missed the point it would be great.
Thanks and sorry for the longish mail
D
Hi mujnabed,
I wanted to clarify my understanding of the current status of the project. The project requires resolving two issues related to location anonymity weakening due to local timestamp leakage specifically in the MessageID & Date header fields.
Thanks for your interest in Tor and TorBirdy!
From reading issues #6314, #6315 mentioned and the patch requests submitted for bugs #902573 and #902580 at bugzilla.mozilla.org, It seems that the current hold up by Mozilla to accepting the patch request are:
- Establishing how well Thunderbird & other mail clients handle the date
not being inserted by the sender in the mail header 2. Finding which MTA/MSA's automatically insert date headers on their own and if most/all don't, finding a workaround to that. Gmai, Mail.com, Gmx, Yandex and the now dead Lavabit had been tested successfully for automatic date header insertion
This was the idea when the patches were submitted but in later discussions, we decided that removing the date header completely was not a good idea and would break things, not only in Thunderbird but in other MUAs. Also, convincing Mozilla to get such a patch accepted is likely going to be difficult.
The exact specifics can be discussed later, but as mentioned in #902573, this option looks most suitable:
Keep the Date header and ensure it is in UTC (eg: allow some clock disclosure but not time zone to network)
- And using extension hooks with explicit calls instead of checking user
set configurations flags for removing timestamp data from header. This it's suggested will allow better handling of messages received/sent in the background by Thunderbird.
Yes, that's correct. Figuring out how to do this and doing it properly is the only blocker. We already have code ready for generating random message-IDs (which could also use some work but that is for later) which is called using the preferences system, which is what you are going to be replacing.
Let me know if you have any more questions. It would also be helpful to read https://bugzilla.mozilla.org/show_bug.cgi?id=776397, which was the original ticket we submitted.