[tor-talk] Towards a Torbutton for Thunderbird (torbutton-birdy)
mix.tb at yandex.com
Mon May 7 11:42:06 UTC 2012
Sukhbir Singh wrote:
>> I didn't see the Message ID as harmful, but I'm more than happy to be
>> educated on this front. I do see the timezone leakage as a problem.
> The Message-ID used by Thunderbird consists of two parts: the Unix
> timestamp in hexadecimal format (which matches the time in the 'Date'
> header) and a random number, the former being the reason why the
> message-ID is considered 'harmful'. tagnaq's paper  discusses this
> and proposes a time independent message-ID for Thunderbird.
>  - https://trac.torproject.org/projects/tor/attachment/wiki/doc/TorifyHOWTO/EMail/Thunderbird/Thunderbird%2BTor.pdf
Thanks for the info. I'll have a good read through this over the next
>> had a look through Thunderbird's settings and can't see anything to
>> indicate that this is stored within the settings so I imagine that this
>> comes from system. If it's controlled through the environment then it
>> may be able to be set before running, again maybe through a TBB style
> Yes, there is no way to change this using the configuration settings.
> It is possible to do this by setting the 'TZ' environment variable
> , however that introduces a new problem: Thunderbird then uses UTC
> as the dates on emails also and this may confuse/ irritate the users.
> We are currently working on the date and the message-ID issue.
>  - https://www.torproject.org/torbutton/torbutton-faq.html.en#securityissues
Trying this now just to see what it looks like.
>> My only other immediate concern is how Thunderbird identifies itself to
>> the SMTP server during the EHLO. Claws mail provides a dialogue to show
>> what it's doing, and also allows you to specify what it is that is
>> reported to the other end. I'm not sure what Thunderbird says, but it's
>> likely that it is the local hostname.
> This has been taken care of, 'mail.smtpserver.default.hello_argument'
> is set to '127.0.0.1' to prevent hostname leaks.
> Thanks for helping us test this out.
Happy to help.
More information about the tor-talk