xB Mail: Anonymous Email Client

Thu Aug 21 17:21:08 UTC 2008

> Here are some suggestions. Some of them ere also mentioned in the other
> thread about changing the default exit policy.
> 
> 1.) Block remote image loading

It was my intention to block all markup rendering, in addition to blocking
that inside the client.

> 2.) Obfuscate the data sent in the EHLO so it doesn't leak the hostname/ip

I'll have to check how thunderbird implements smtp.

> 3.) Even using an obfuscated EHLO, that can still leak information. If
> you're using TLS rather than SSL on connect when sending an email, the
> exit node can see what is sent in the EHLO. The fact that you send the
> same EHLO every time could potentially let the exit node identify you if
> you come back. Therefore, although it's not the standard, SSL on connect
>  on port 465 is preferable to TLS on port 587/25 when submitting email
> over Tor.

Very good observation.

> 4.) The "Use secure connection" account settings should never be "TLS if
> available" as a mitm attack could stop you from negotiating SSL without
> realising.

Agreed. I think this was an issue in The Bat! client.

> 5.) The "Check for new messages every" option could leak to the exit
> node that it is the same client coming back, if you set it to an unusual
> value like 17 minutes for example. Changing from the default should be
> dissuaded.

Agreed. Or possibly randomizing the time. This also leads to a timing
correlation on "timeout" settings as well.

> 6.) If people use a Torified account alongside a non Torified account
> (I'd make it advise people to use a separate profile). But if they do,
> do that, then it needs to make sure the two accounts don't share the
> same LDAP server.

It is my intent that people do not use the client to mix anonymous and
non anonymized accounts over an anonymity network, as we would again
break the context protection.

> 7.) Turn off return receipts and Junk filtering

Junk filtering is sticky. Because we are going to use thunderbird, we
can create bayesian filters in token form, and push token updates to
the client. It would be kind of amazing if the latest paris hilton
spam was blocked before the user had to read it. The management program
could update such a token over https, un-anonymized, every x time.

> 8.) For convenience rather than security, I'd make it automatically turn
> on the options to download the full messages to disk.

Thats one of those distasteful things about mail, and one of the reasons
I prefer IMAP over POP. POP is fine if you're encrypting your message
base, but if not, IMAP is preferable. But I tell you what... i really
*could* encrypt the messagebase on thunderbird. No telling how secure
that would really be in windows implementation, but it is certainly
a fun idea.

> Oh. It would also be nice if you could add a list of keywords that
> Thunderbird shouldn't allow you to send in an email, in case you
> accidently sign a message with your own name for example.

Great idea. Love it.

Regards,
Arrakis