[tor-bugs] #20861 [Applications/TorBirdy]: X-Mozilla-Keys (offline messages) in forwarded message (as an attachment)

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Jan 9 02:11:07 UTC 2017 

#20861: X-Mozilla-Keys (offline messages) in forwarded message (as an attachment)
-----------------------------------+---------------------------
 Reporter:  cypherpunks            |          Owner:  sukhbir
     Type:  defect                 |         Status:  closed
 Priority:  Medium                 |      Milestone:
Component:  Applications/TorBirdy  |        Version:
 Severity:  Normal                 |     Resolution:  not a bug
 Keywords:  TorBirdy 0.2.1         |  Actual Points:
Parent ID:                         |         Points:
 Reviewer:                         |        Sponsor:
-----------------------------------+---------------------------
Changes (by cypherpunks):

 * status:  new => closed
 * resolution:   => not a bug


Comment:

 After reading the ''design goals document'' [1], I agree it's outside the
 scope of torbirdy to disguise the MUA (esp. because by having [127.0.0.1]
 followed by a Tor exit relay IP-address in the first received-from-field
 (what at least some email provide remove) and/or the message-ID header)

 ''One might argue that revealing the used MUA is already
 a risk because it makes targeted attacks easier. This is a
 valid point. We do not actively reveal our MUA and the
 proposed changes reduce the identifying information con-
 siderably, but this does not stop an attacker from detecting
 Thunderbird, because Thunderbird most likely has a unique
 MUA fingerprint in terms of supported protocol and header
 features.''[1]

 the issue with the X-Mozilla-Keys is addressed, too.

 ''Thunderbird uses non-standardized header fields for inter-
 nal and local use. These header fields normally do not ap-
 pear in outgoing mails. In earlier versions of Thunderbird
 (2.x) these header fields were disclosed when forwarding
 mails. Since Thunderbird has changed its forwarding mode
 of emails to inline this is no longer an issue.''[1]
 (even so the option still exists in the context menu or by-left clicking
 on an e-mail)


 [1] ''Towards a Tor-safe Mozilla Thunderbird'',
 https://trac.torproject.org/projects/tor/attachment/wiki/doc/TorifyHOWTO/EMail/Thunderbird/Thunderbird%2BTor.pdf

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20861#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list