Opened 4 years ago

Last modified 3 years ago

#19031 new task

Audit Thunderbird's RSS support

Reported by: sukhbir Owned by: sukhbir
Priority: Medium Milestone:
Component: Applications/TorBirdy Version:
Severity: Normal Keywords:
Cc: sajolida@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Audit Thunderbird's RSS feed reader. Some tasks to start with:

  • Is automatic fetching disabled?
  • Is HTML disabled?
  • Is JavaScript disabled?
  • Are proxy settings respected?

Are there other anonymity implications?

Child Tickets

Change History (5)

comment:1 Changed 4 years ago by sukhbir


  • Automatic fetching was not disabled and the value was hard coded. So we needed an overlay which I pushed in 0968621f.
  • HTML has also been disabled. The options are similar to the mailnews settings. See 174cd10.
  • JavaScript disabled: already doing it.
  • Proxy settings respected: yes.

I think the only concern I have now is that clicking the "Website" (in the message pane) to get the complete article shows the Launch Application window using which a user may choose a browser that is not Tor Browser. Now we can do either of the following:

  • Disable the link so that a user has to manually copy it and doesn't inadvertently click on it
  • Warn the user but then show the Launch Application and let them decide.
  • Be smart and open in Tor Browser. (I am not sure if this one is easy).

comment:2 Changed 4 years ago by sajolida

Cc: sajolida@… added

comment:3 Changed 4 years ago by cypherpunks

Does stream isolation work properly, i.e. do 2 different RSS feeds always use independent Tor circuits?

comment:4 Changed 4 years ago by viktorj

I have set "" to "false" because otherwise it seemed to me that Thunderbird fetches the favicons of my feeds directly after start because they are not stored on disk. This could be an anonymity risk if two different RSS feeds don't use two independent Tor circuits because all the icons are fetched at the same time.

Can you reproduce this or is this a problem which only occurs in my case?

comment:5 Changed 3 years ago by cypherpunks

If you forget to disable favicon like above, TB will make a connection silently. So just disable it.

Disable the link so that a user has to manually copy it and doesn't inadvertently click on it

When the user click the link, just "copy" it to clipboard.
And show "The URL is copied to clipboard" alert.
Do not open it in Thunderbird because this is not a browser but a mailer.

Note: See TracTickets for help on using tickets.