[tor-talk] Important Information for TorBirdy Users: OS upgrade (might) results in failure to mask timezone (observed on Fedora20-21 Qubes OS R2)

[torbirdyfoo at ruggedinbox.com]

Hi,

this is a (pre) information for TorBirdy users (and their developers).

Bug Impact:
Outbound emails disclose the actual timezone in the "Date" header 
(instead of using UTC regardless of actual OS timezone).
This reveals a sender's raw location and more importantly allows 
attackers to link pseudonyms because the timezone in outbound emails 
potentially changed at the same point in time for all used pseudonyms of 
a single entity.

The root cause and affected systems of the problem is not
analyzed yet but I wanted to send this out as soon as possible
so people are aware of this problem and can avoid it until it gets 
fixed.

Are you affected?
It has been observed on Qubes OS R2 default Fedora template after 
changing from Fedora 20 to Fedora 21. It is not known whether this is 
Qubes OS specific in any way.

You can easily check whether you are affected by going to your 'sent' 
mail folder:

- select an email
- ctrl+u to see the source of the email
- search (ctrl+f) "Date:"
- if the line ends with +0000, timezone masking is working (if your OS 
timezone is not +0000)
- if it shows anything else it is not working and you are probably 
affected
(note: there is a TorBirdy setting to explicitly disable this 
protection, of you opted-out than this is entire email is irrelevant to 
you)

If you are affected please add information (your OS) to the bug tracker 
to help debug this.

Trac ticket:
https://trac.torproject.org/projects/tor/ticket/16419

@TorProject: the 'cypherpunks' account is not working, could you enable 
it agains so that people can use it?

Fix?
Not available yet, TorBirdy devs will certainly send out an information 
once this is solved/analyzed.


This bug has been observed after upgrading from Fedora 20 to Fedora 21 
on Qubes OS R2 (default templates) with Thunderbird 31.7.0 and TorBirdy 
0.1.4.