what about SMTPS over Tor?

[anonym]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/01/08 21:01, Martin Fick wrote:
> --- anonym <anonym at lavabit.com> wrote:
> 
>> On 02/01/08 09:16, anon ymous wrote:
>> But I'm more interested in smtp on the "open"
>> Internet currently as I don't want to push too many 
>> new concepts on the people I try to help,
>> _and_ I need a solution fast (+ I don't have any
>> resources for putting up the required setup for a 
>> hidden service email).
>>
>> I would like that smtps got a similar status with
>> Tor as http(s) has. IMHO the issues with http(s) 
>> (e.g. javascript, cookies) seem to be far
>> worse than smtp unless I've missed something, so I
>> don't understand while it's not focused on more. At 
>> least until all the issues with anonymous remailers 
>> have been sorted out (like that you can't reply to
>> messages).
> 
> 
> It seems to me that the problem here really isn't tor,
> but rather one of not having an equivalent of privoxy
> for SMTPS?  HTTP was dealt with easily because people
> approached the privacy angle with privoxy
> independently of tor.  I agree that it would be nice
> to start a similar project for SMTP(S).  Seems like
> hacking a simple remailer such as ssmtp would be one
> way to start,

Ok, but how well does privoxy protect against the dreaded javacript
based attacks that leaks the actual IP address of the Tor user? I am
under the impression that privoxy doesn't protect against this and that
completet deactivation of javacript is necessary for security, at least
right now (future improvements to privoxy might of course fix this).

In any case, my arguemnt is that Thunderbird + Torbutton for smtps is
basically just as good as Firefox + Privoxy + Torbutton (which has to
deal with javascript, cookies, flash, etc.) is for http(s) unless I miss
something. The only thing Thunderbird seems to leak over SMTP is some
non-critical stuff in the header, like user-agent (all which easily
could be prevented by an addon such as Torbutton wich already does the
equivalent for Firfox' http(s) headers). The much more critical issue of
including the IP address or hostname of the Tor user's computer in the
EHLO/HELO message (sent in the initial steps of smtp) is taken care by
Torbutton according to my network sniffing research.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHfaSzp8EswdDmSVgRAowaAJ0a9vKnNvv2NJijNHK09tY0KXh75ACaArxg
dtyMcBY2kkcbaMzTfuc7XkA=
=qO0C
-----END PGP SIGNATURE-----