[tor-bugs] #10989 [BridgeDB]: bridgedb should use starttls for outgoing mails
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Mar 7 09:25:52 UTC 2014
#10989: bridgedb should use starttls for outgoing mails
-------------------------+-------------------------------------------------
Reporter: arma | Owner: isis
Type: | Status: assigned
enhancement | Milestone:
Priority: major | Version:
Component: | Keywords: bridgedb-email, bridgedb-gsoc-
BridgeDB | application
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by sysrqb):
Replying to [comment:3 isis]:
> Sysrqb, if I recall correctly, you looked into this at the 2014 Winter
meeting... did you discover anything notable?
>
> I do not recall off the top of head if emails sent out from BridgeDB are
sent through Postfix, or directly sent from the `bridgedb.EmailServer`
module.
It is the former, and so far it seems to be doing what we want. I was
silly and assumed it was the latter when I talked to arma. I just tested
the inter-operation with yahoo.
yahoo -> bridges.tp.o:
{{{
Received: BridgeDB
From xxxx at yahoo.com Fri Mar 7 XX:XX:XX 2014
X-Original-To: bridges at bridges.torproject.org
Delivered-To: bridgedb at ponticum.torproject.org
Received: from nm36.bullet.mail.ne1.yahoo.com
(nm36.bullet.mail.ne1.yahoo.com [98.138.229.29])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client did not present a certificate)
by ponticum.torproject.org (Postfix) with ESMTPS id
for <bridges at bridges.torproject.org>; Fri, 7 Mar 2014 XX:XX:XX
+0000 (UTC)
Received: from [127.0.0.1] by nm36.bullet.mail.ne1.yahoo.com with NNFMP;
07 Mar 2014 XX:XX:XX -0000
Received: from [98.138.100.113] by nm36.bullet.mail.ne1.yahoo.com with
NNFMP; 07 Mar 2014 XX:XX:XX -0000
Received: from [98.138.226.160] by tm104.bullet.mail.ne1.yahoo.com with
NNFMP; 07 Mar 2014 XX:XX:XX -0000
Received: from [127.0.0.1] by omp1061.mail.ne1.yahoo.com with NNFMP; 07
Mar 2014 XX:XX:XX -0000
Received: (qmail 58298 invoked by uid 60001); 7 Mar 2014 XX:XX:XX -0000
Received: from [162.243.119.77] by web126103.mail.ne1.yahoo.com via HTTP;
Thu, 06 Mar 2014 XX:XX:XX PST
X-Mailer: YahooMailWebService/0.8.177.636
}}}
So it appears to be unencrypted intra-yahoo, but `TLSv1 with cipher DHE-
RSA-AES256-SHA` over the net. Not bad.
bridges.tp.o -> yahoo:
{{{
From bridges at torproject.org Fri Mar 7 XX:XX:XX 2014
Return-Path: <bridges at torproject.org>
Received: from 127.0.0.1 (EHLO ponticum.torproject.org) (38.229.72.19)
by mta1311.mail.ne1.yahoo.com with SMTPS; Fri, 07 Mar 2014 XX:XX:XX +0000
Received: from ponticum.torproject.org (localhost [127.0.0.1])
by ponticum.torproject.org (Postfix) with SMTP id
for <XXXX at yahoo.com>; Fri, 7 Mar 2014 XX:XX:XX +0000 (UTC)
Content-Type: text/plain
From: bridges at torproject.org
To: XXXX at yahoo.com
}}}
SMTPS is used during the return, so its security level is not immediately
obvious but it's still better than plaintext.
And, in addition to cypherpunks' post,
gmail -> tp.o uses `TLSv1 with cipher ECDHE-RSA-RC4-SHA`
Also, for the record,
tp.o -> bridges.tp.o uses `TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-
SHA384`
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10989#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list