[tor-talk] Towards a Torbutton for Thunderbird (torbutton-birdy)

Mon May 7 19:53:28 UTC 2012

On 05/07/2012 05:02 AM, Mix+TB Test wrote:
>>> DNS and other connections leak during account creation (when Thunderbird
>>> is trying to work out how to connect), but after that I can receive
>>> (IMAP w/STARTTLS, IMAPS) and send (Submission w/STARTTLS, SMTPS) without
>>> seeing any leaks, including no DNS leaks. I can also see the connections
>>> showing up in the Vidalia Network Map.
>>
>> These issues should be listed in the TODO file - I'm sorry to say that
>> Thunderbird and the Mozilla team seems to refuse to Do The Right Thing
>> with the account setup wizard. The bugs on this topic are a depressing
>> read - it's not really possible to override this and fail closed - which
>> seems like an unreasonable stance...
> 
> I wonder whether tsocks could be distributed with Thunderbird, and a TBB
> style startup used to load the libraries and force Thunderbird through
> Tor that way?

Sounds like a nightmare. Lets not go down the TBB path - that way lies
madness.

> 
>> Great. So as it stands, I found the following meta-data in your email
>> that may be harmful to your privacy:
>>
>> Message-ID: <4FA5D959.4010902 at yandex.com>
>> Date: Sun, 06 May 2012 11:52:25 +1000
>>
>> Your raw email is impressive in how many systems it seems to touch - it
>> routes over Tor through the Noisebridge exit, it traverses some ipv6
>> SMTP servers and so on. There's a lot of stuff in there - can you look
>> through it and tell me if any of it is harmful to your privacy other
>> than the two lines listed above?
> 
> I didn't see the Message ID as harmful, but I'm more than happy to be
> educated on this front. I do see the timezone leakage as a problem. I've
> had a look through Thunderbird's settings and can't see anything to
> indicate that this is stored within the settings so I imagine that this
> comes from system. If it's controlled through the environment then it
> may be able to be set before running, again maybe through a TBB style
> startup.
> 

Timing leaks are the issue. We need a time independent implementation.

> My only other immediate concern is how Thunderbird identifies itself to
> the SMTP server during the EHLO. Claws mail provides a dialogue to show
> what it's doing, and also allows you to specify what it is that is
> reported to the other end. I'm not sure what Thunderbird says, but it's
> likely that it is the local hostname.

We've got this covered as Sukhbir said in another email.

All the best,
Jacob