prevent leak via Date header field (local timestamp disclosure)
Emails send with TorBirdy installed are currently leaking local timestamp information via the Date header field.
Sukhbir is preparing a patch for Thunderbird that will allow us to send emails without Date header field. The Date header will then be inserted by the mail server as described in chapter 4.2.3: http://bit.ly/qDZm7C
Activity
Replying to tagnaq:
Sukhbir is preparing a patch for Thunderbird that will allow us to send emails without Date header field.
patch is available here: https://raw.github.com/ioerror/torbirdy/master/patches/date.patch
If anyone want to help us to test it with many freemailers:
- apply the patch to thunderbirds source and recompile
- create a new preference and set it to false:
mailnews.local_date_header_generation = false
send your self an email and tell us whether the email in your Inbox contained a proper Date header.
Here are a few popular freemailers that would be good to test with the patch applied:
- yahoo
- hotmail
- hushmail
- gmx
- mail.ru
- yandex
- mail.com
Patch available here:
https://github.com/ioerror/torbirdy/blob/master/patches/datemessageid.patch
Trac:
Parent: N/A to #9131 (closed)
I have torbirdy 0.1.2 running on TB 24.1.1 (built from http://hg.mozilla.org/releases/mozilla-esr24/rev/73cf17fcf5d5) on OS X 10.6.8.
I appreciate the need to avoid leaking location info by masking the local timezone, but it appears this build of torbirdy is going too far. Specifically, I'm seeing that mailnews.reply_header_authorwrote is getting changed from "%s wrote" to "%s", and mailnews.reply_header_ondate is getting changed from "On %s" to null.
Perhaps the above behavior is by design, but that would be a bit odd. What I would expect instead is that the formatting for _ondate is simply changed to use UTC rather than local time (perhaps using some other preference(s)). I see no reason to change _authorwrote at all.
I'm not 100% sure this is due to torbirdy, but from this ticket (and also #6315 (closed)) it seems the most likely culprit. I am not much of a coder, but would be happy to test a patched version and report back.
Thanks for the excellent extension -- I'm finally able to use TB via Tor, which I've been wanting to do for a very long time.
Cheers,
-H
Trac:
Username: heywoodj123@yahoo.com-
Did some more reading and found the explanation in an old 2012 tor-talk thread (https://lists.torproject.org/pipermail/tor-talk/2012-May/024370.html). Should have read that before posting -- sorry.
However, I do share mikeperry's view as expressed in that thread: plugging the timezone leak by setting everything to UTC is good, but other than that I think the best way not to stick out is to use the default TB headers (in the default language). Notwithstanding the arguments made in "Towards a Tor-safe Mozilla Thunderbird," the changes made by Torbirdy to TB's default reply headers make subsequent emails more distinctive, not less.
-H
Trac:
Username: heywoodj123@yahoo.com @sukhbir How married are you to the idea of removing dates entirely? Thunderbird doesn't parse dateless emails very well, as a rule, and even if patched there are other clients that could respond poorly. Could reasonably lead to people thinking that they haven't received a message just by virtue of it being at the bottom of their mail queue.
A better / less-problematic option might be to allow users to override time on a per-message basis (in the compose window).
Trac:
Cc: sukhbir to sukhbir, griffin@cryptolab.netReplying to saint:
@sukhbir How married are you to the idea of removing dates entirely? Thunderbird doesn't parse dateless emails very well, as a rule, and even if patched there are other clients that could respond poorly. Could reasonably lead to people thinking that they haven't received a message just by virtue of it being at the bottom of their mail queue.
I also personally think that removing the date entirely is not a good idea -- it will likely break things and even if it doesn't for the cases we test with, getting such a patch accepted is going to be very difficult. If you see the ticket on Bugzilla, I think the best option is:
Keep the Date header and ensure it is in UTC (eg: allow some clock disclosure but not time zone to
... and set hh:mm:ss to 00:00:00 or randomize it. Something along those lines is better than removing the date completely.
BTW, just to publicize it, we have now proposed working on these patches as a GSoC project. See make TorBirdy better :)
Replying to sukhbir:
I also personally think that removing the date entirely is not a good idea -- it will likely break things and even if it doesn't for the cases we test with, getting such a patch accepted is going to be very difficult.
Yes, it seems like this option is holding up patch acceptance. I read the bug reports after hearing it referenced as a GSoC project. =)
... and set hh:mm:ss to 00:00:00 or randomize it.
These are both decent options for enhancing location anonymity, but have negative effects on conversations since it affects email sequence.
Perhaps detect local time and adjust to UTC? e.g. it's 11:45 EST my time, but the sent message would read as 4:45 UTC. Or defer to a server for time information (tlsdate style)?
Trac:
Cc: sukhbir, griffin@cryptolab.net to sukhbir, griffin@cryptolab.net, intrigeriHere's a JS torbirdy patch that allows us to round the Date header down to the nearest minute. It uses a custom Date header emitter that overrides Thunderbird's default Date header emitter.
https://github.com/arthuredelstein/torbirdy/commit/6314
(Alternatively, we could use the custom emitter to cause the Date header to be blank, randomized, rounded to the nearest hour, day, etc.)
This torbirdy patch should mean we won't need a patch for https://bugzil.la/980573. Thanks to jcranmer for helping me understand the Thunderbird logic.
Update: I found a way to simplify the patch considerably. Same github URL.
Trac:
Sponsor: N/A to N/A
Status: new to needs_review
Severity: N/A to NormalHere's the patch in torbirdy: https://github.com/ioerror/torbirdy/commit/7169642643b91f203782d8e6a885d53fbb43f49e
A couple of alternatives are possible:
-
Provide a modified Date header generator from torbirdy JS code to provide a UTC-formatted date. Here's an example: https://gist.github.com/arthuredelstein/5fdd1a1e7b3133807a59
-
Provide a header generator that provides an empty Date header. Here's an example patch: https://github.com/arthuredelstein/torbirdy/commit/6314_blank_date
Both (1) and (2) would potentially allow us to leave Thunderbird's default timezone unchanged, so users can see times displayed in the UI in their local timezone.
(2) Leaks no clock offset information at all in the Date header. But it may risk causing problems to some mail servers or clients. Of course, clock offsets may leak via other channels.
-
-
Trac:
Username: u
Cc: sukhbir, griffin@cryptolab.net, intrigeri to sukhbir, griffin@cryptolab.net, intrigeri, u@451f.org For reference, there are two patches in torbirdy for this ticket:
https://github.com/ioerror/torbirdy/commit/7169642643b91f203782d8e6a885d53fbb43f49e https://github.com/ioerror/torbirdy/commit/230ba97882424d35e12794c45db7c6715fe753f9
We patched torbirdy instead of landing a patch in Thunderbird.
Trac:
Status: closed to reopened
Resolution: fixed to N/A
Parent: #9131 (closed) to N/Amentioned in issue #9131 (closed)