Opened 4 years ago
Last modified 3 years ago
#19031 new task
Audit Thunderbird's RSS support
| Reported by: | sukhbir | Owned by: | sukhbir |
|---|---|---|---|
| Priority: | Medium | Milestone: | |
| Component: | Applications/TorBirdy | Version: | |
| Severity: | Normal | Keywords: | |
| Cc: | sajolida@… | Actual Points: | |
| Parent ID: | Points: | ||
| Reviewer: | Sponsor: |
Description
Audit Thunderbird's RSS feed reader. Some tasks to start with:
- Is automatic fetching disabled?
- Is HTML disabled?
- Is JavaScript disabled?
- Are proxy settings respected?
Are there other anonymity implications?
Child Tickets
Change History (5)
comment:1 Changed 4 years ago by
comment:2 Changed 4 years ago by
| Cc: | sajolida@… added |
|---|
comment:3 Changed 4 years ago by
Does stream isolation work properly, i.e. do 2 different RSS feeds always use independent Tor circuits?
comment:4 Changed 3 years ago by
I have set "browser.chrome.favicons" to "false" because otherwise it seemed to me that Thunderbird fetches the favicons of my feeds directly after start because they are not stored on disk. This could be an anonymity risk if two different RSS feeds don't use two independent Tor circuits because all the icons are fetched at the same time.
Can you reproduce this or is this a problem which only occurs in my case?
comment:5 Changed 3 years ago by
If you forget to disable favicon like above, TB will make a connection silently. So just disable it.
Disable the link so that a user has to manually copy it and doesn't inadvertently click on it
When the user click the link, just "copy" it to clipboard.
And show "The URL is copied to clipboard" alert.
Do not open it in Thunderbird because this is not a browser but a mailer.
Updates:
I think the only concern I have now is that clicking the "Website" (in the message pane) to get the complete article shows the Launch Application window using which a user may choose a browser that is not Tor Browser. Now we can do either of the following: