[tor-talk] Towards a Torbutton for Thunderbird (torbutton-birdy)
Jacob Appelbaum
jacob at appelbaum.net
Sun May 6 13:57:15 UTC 2012
On 05/06/2012 03:52 AM, Mix+TB Test wrote:
> Jacob Appelbaum wrote:
>> Hi,
>>
>> A few Tor hackers (Sukhbir, tagnar, myself, etc) are working on a plugin
>> for Thunderbird that attempts to Torify it properly. The codename for
>> now is 'torbutton-birdy' and it is based largely on the seminal
>> analysis[-1] by tagnaq. Two core goals in addition to Torification is
>> the integration with MixGUI[0] and of course Enigmail[1].
>
> Nice. I didn't even realise that MixMinion was still a going concern.
I think it's clear that we need MixMinion for the near future and well,
the present for everyday of people. :(
>
>> At the moment the code is entirely un-reviewed and is not ready for real
>> use. If you'd like to test it, we'd very much appreciate it. We have not
>> uploaded the extension to Mozilla's addon site - I'm not sure we'll ever
>> do that as a result of data retention issues and other stuff.
>
> Some very early feedback ...
>
> DNS and other connections leak during account creation (when Thunderbird
> is trying to work out how to connect), but after that I can receive
> (IMAP w/STARTTLS, IMAPS) and send (Submission w/STARTTLS, SMTPS) without
> seeing any leaks, including no DNS leaks. I can also see the connections
> showing up in the Vidalia Network Map.
>
These issues should be listed in the TODO file - I'm sorry to say that
Thunderbird and the Mozilla team seems to refuse to Do The Right Thing
with the account setup wizard. The bugs on this topic are a depressing
read - it's not really possible to override this and fail closed - which
seems like an unreasonable stance...
> When sending via IMAP (even when using STARTTLS) there is a pop up to
> notify you that you're sending in the clear, and the warning goes away
> when you switch to IMAPS. No such warning appears when using Submission
> w/STARTTLS. (Or when using SMTPS, as expected.)
That is to be expected, yes.
>
> This was all performed using a clean Thunderbird 12.0.1 profile, no
> other addons, 64-bit Debian 6.0.4, Tor Browser 2.2.35-11 with a static
> SOCKS port.
Great. So as it stands, I found the following meta-data in your email
that may be harmful to your privacy:
Message-ID: <4FA5D959.4010902 at yandex.com>
Date: Sun, 06 May 2012 11:52:25 +1000
Your raw email is impressive in how many systems it seems to touch - it
routes over Tor through the Noisebridge exit, it traverses some ipv6
SMTP servers and so on. There's a lot of stuff in there - can you look
through it and tell me if any of it is harmful to your privacy other
than the two lines listed above?
All the best,
Jacob
More information about the tor-talk
mailing list