[tor-talk] Towards a Torbutton for Thunderbird (torbutton-birdy)

Jacob Appelbaum jacob at appelbaum.net
Mon May 7 19:55:20 UTC 2012


On 05/07/2012 11:33 AM, anonym wrote:
> 05/06/2012 03:57 PM, Jacob Appelbaum:
>>> A few Tor hackers (Sukhbir, tagnar, myself, etc) are working on a 
>>> plugin for Thunderbird that attempts to Torify it properly. The 
>>> codename for now is 'torbutton-birdy' and it is based largely on 
>>> the seminal analysis[-1] by tagnaq. Two core goals in addition to 
>>> Torification is the integration with MixGUI[0] and of course 
>>> Enigmail[1].
> 
> This sounds awesome! In Tails we have had plans to move to
> Thunderbird/Icedove [1] for some time and this seems like a must have.
> 
> [1] https://tails.boum.org/todo/Return_of_Icedove__63__/
> 

Great - I agree. It would basically be installed and then any account in
use will be configured to go over Tor by default.

>>> DNS and other connections leak during account creation (when 
>>> Thunderbird
>>>> is trying to work out how to connect), but after that I can 
>>>> receive (IMAP w/STARTTLS, IMAPS) and send (Submission
>>>> w/STARTTLS, SMTPS) without seeing any leaks, including no DNS
>>>> leaks. I can also see the connections showing up in the Vidalia
>>>> Network Map.
>>>>
>> These issues should be listed in the TODO file - I'm sorry to say 
>> that Thunderbird and the Mozilla team seems to refuse to Do The
>> Right Thing with the account setup wizard. The bugs on this topic are
>> a depressing read - it's not really possible to override this and
>> fail closed - which seems like an unreasonable stance...
> 
> In January I worked a bit on securing Thunderbird's autoconfiguration
> wizard to make it suitable for Tails. What I did was the following:
> 
> * When probing a mail provider for an xml config, first try HTTPS,
>   then http (old behaviour: http only).
> * When using a fetched xml config, prefer using TLS/SSL over plaintext
>   (old behaviour: use whatever is defined first in the xml file).
> * Introduce a boolean pref called `mailnews.auto_config_ssl_only`
>   (that has a checkbox in the autoconfiguration wizard) that does the
>   following when true:
>   - Only allow HTTPS when fetching xml configs from mail provider.
>   - Only allow HTTPS when fetching xml configs from Mozilla's database
>     (luckily the default URL is using HTTPS).
>   - Don't check DNS MX records for mail configurations. (This may need
>     some rethinking for DNSSEC.)
>   - Only accept fetched xml configs that use safe email protocols
>     (SSL/TLS for SMTP/IMAP/POP).
>   - Only probe the mail server for safe email protocols (SSL/TLS for
>     SMTP/IMAP/POP).
> 
> These changes are implemented in the `secure_account_creation` branch
> in a git repository that can be cloned as follow:
> 
>     git clone git://labs.riseup.net/tails_icedove.git

All of those need to go upstream, please. They do not belong in
Torbutton-birdy, they belong in TB proper, I think.

> 
> (Since the repo is huge (and there's no gitweb AFAIK) I also attached
> the commits as git patches. This were written for Thunderbird 8, but I
> know they apply cleanly to TB 10 as well.)
> 

Nothing attached here...

> Comments on the above described approach (and the implementation) are of
> course highly welcome.
> 
> The idea is to at least try to get this merged upstream (if not in
> Mozilla, perhaps at least in Debian) in some form, otherwise we're
> gonna ship an Icedove built from sources with these changes applied in
> Tails.
> 

Yes, I agree.

> It's unclear to me if you've done (or plan to do) some work on the
> autoconfig wizard  in torbutton-birdy. I'd appreciate if you could
> elaborate on this.
> 

We haven't touched it - please check out the TODO.

All the best,
Jacob


More information about the tor-talk mailing list