[tor-talk] Thunderbird, GMail and Tor - is it safe?

Tue Aug 9 15:57:35 UTC 2011

On 8/9/2011 10:03 AM, Phillip wrote:
> Hi,
>
> My question is about the safety of using Thunderbird to send e-mail
> through Tor.
>
> A little background: I run a moderate capacity (~500-600 kb/s) Tor
> relay. I've configured my Thunderbird client to use the Tor network, as
> well as to not leak DNS resolves, and I've verified through test e-mails
> that they are being sent to the GMail server through a Tor exit node. My
> accounts are configured to use SSL/TLS for both IMAP and SMTP.
>
> I understand that once e-mail leaves the GMail servers, it's about as
> secure as sending an open post card.
>
> My question is whether the SSL/TLS connections between my e-mail client
> and the GMail server are being made through the Tor network, and whether
> using Tor in such a way exposes my otherwise unencrypted e-mail to a
> greater risk of being skimmed by, say, a potentially hostile Tor exit node?
>
> My goal is simply to anonymise my IP, which gets leaked gratuitously by
> Thunderbird, and to ensure that the e-mail gets to the GMail server as
> securely as if I was using the https web mail.
>
> Thanks in advance for any assistance!
>
> Cheers,
>
> Phillip
As I understand it, just sending unencrypted mail to an email provider 
thru Tor, only masks your true IP address.  This assumes you've set up 
an acct w/ provider, WHILE USING TOR.
Once it hits (Gmail & many others') servers, they're going to scan 
unencrypted mail, as well as mail sent to you.  If your received mail is 
unencrypted, providers will scan that.

You can use HTTPS connection & Tor to Gmail, which will hide your IP, 
provide protection * between you & Gmail,*  but if unencrypted, won't 
keep them from scanning it.

Yes, I believe an exit node could scan unencrypted mail.  I'm not sure 
about when you use SSL between you & final destination.  Others can 
chime in (please correct any mistakes here).
Generally, it's not suggested to send sensitive, unencrypted info thru 
Tor when using plain HTTP connection w/ a site.

One solution for you might be to use the popular "Enigmail" Tbird addon 
(from AMO's site) to encrypt mail.  You can read up on it at AMO & 
Enigmail's home page - what's involved for you & recipients of your 
mail.  It's not that difficult.