Sukhbir Singh wrote: >> I didn't see the Message ID as harmful, but I'm more than happy to be >> educated on this front. I do see the timezone leakage as a problem. > > The Message-ID used by Thunderbird consists of two parts: the Unix > timestamp in hexadecimal format (which matches the time in the 'Date' > header) and a random number, the former being the reason why the > message-ID is considered 'harmful'. tagnaq's paper [0] discusses this > and proposes a time independent message-ID for Thunderbird. > > [0] - > https://trac.torproject.org/projects/tor/attachment/wiki/doc/TorifyHOWTO/EMail/Thunderbird/Thunderbird%2BTor.pdf
Thanks for the info. I'll have a good read through this over the next few days. >> had a look through Thunderbird's settings and can't see anything to >> indicate that this is stored within the settings so I imagine that this >> comes from system. If it's controlled through the environment then it >> may be able to be set before running, again maybe through a TBB style >> startup. > > Yes, there is no way to change this using the configuration settings. > It is possible to do this by setting the 'TZ' environment variable > [1], however that introduces a new problem: Thunderbird then uses UTC > as the dates on emails also and this may confuse/ irritate the users. > > We are currently working on the date and the message-ID issue. > > [1] - > https://www.torproject.org/torbutton/torbutton-faq.html.en#securityissues Trying this now just to see what it looks like. >> My only other immediate concern is how Thunderbird identifies itself to >> the SMTP server during the EHLO. Claws mail provides a dialogue to show >> what it's doing, and also allows you to specify what it is that is >> reported to the other end. I'm not sure what Thunderbird says, but it's >> likely that it is the local hostname. > > This has been taken care of, 'mail.smtpserver.default.hello_argument' > is set to '127.0.0.1' to prevent hostname leaks. Awesome. > Thanks for helping us test this out. Happy to help. _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
