[tor-bugs] #6940 [TorBirdy]: analyze thunderbird HTTP proxy behaviour

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Mon Sep 24 02:22:32 UTC 2012 

#6940: analyze thunderbird HTTP proxy behaviour
----------------------+-----------------------------------------------------
 Reporter:  tagnaq    |          Owner:  sukhbir 
     Type:  task      |         Status:  assigned
 Priority:  normal    |      Milestone:          
Component:  TorBirdy  |        Version:          
 Keywords:            |         Parent:          
   Points:            |   Actualpoints:          
----------------------+-----------------------------------------------------

Comment(by ioerror):

 Replying to [comment:19 mikeperry]:
 > Replying to [comment:18 ioerror]:
 > > I've opened a ticket about the HTTP proxy in javascript: #6958
 >
 > I agree that Moxie needs mad props for bending XPCOM to his will with
 that JS HTTP proxy thing. However, I think a direct SOCKS patch for GPG
 (#2846) has less vulnerability surface and should be simpler code in
 total.

 We don't ship GPG as part of TorBirdy - we have to go with what we have
 and that is an older gpg, without a currently non-existent SOCKS patch or
 SOCKS support.

 >
 > The reason I think that the direct SOCKS patch reduces the vulnerability
 surface is nuanced. It probably doesn't matter unless we actually disable
 jsctypes in our own builds of Thunderbird (#6152).
 >
 > So for now, my recommendation is:
 >
 > 0. Disable GPG network activity by setting the proxy to garbage for now.

 That will break Enigmail for everyone. We're setting it to what should be
 a Torified HTTP proxy and if it fails, it fails. We won't break it for
 everyone.

 > 1. Try Moxie's code from #6958. If you can get it to work out of the box
 within an hour, use it for now

 That is the goal.

 > 2. If Moxie's code takes more than an hour to get it to work, you should
 try to provide a patch for SOCKS support to GPG (#2846). It's possible
 someone may have already written one already, somewhere...

 Such a patch is worthwhile but it will not help us until it is tested,
 merged, and then deployed to everyone. Thus, we'll still be waiting for a
 long long time. We should do both but first, we'll make a local HTTP proxy
 somehow.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6940#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list