Skip to content
Snippets Groups Projects
New look: Off

Audit Thunderbird's RSS support

    • Open Issue created by Sukhbir Singh @sukhbir

    Audit Thunderbird's RSS feed reader. Some tasks to start with:

    • Is automatic fetching disabled?
    • Is HTML disabled?
    • Is JavaScript disabled?
    • Are proxy settings respected?

    Are there other anonymity implications?

    To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

    Child items ...

    • Activity

    • Sukhbir Singh added component::applications/torbirdy owner::sukhbir priority::medium severity::normal status::new type::task labels

      added component::applications/torbirdy owner::sukhbir priority::medium severity::normal status::new type::task labels

    • S
      Sukhbir Singh @sukhbir ·
      Author

      Updates:

      • Automatic fetching was not disabled and the value was hard coded. So we needed an overlay which I pushed in 0968621f.
      • HTML has also been disabled. The options are similar to the mailnews settings. See 174cd10.
      • JavaScript disabled: already doing it.
      • Proxy settings respected: yes.

      I think the only concern I have now is that clicking the "Website" (in the message pane) to get the complete article shows the Launch Application window using which a user may choose a browser that is not Tor Browser. Now we can do either of the following:

      • Disable the link so that a user has to manually copy it and doesn't inadvertently click on it
      • Warn the user but then show the Launch Application and let them decide.
      • Be smart and open in Tor Browser. (I am not sure if this one is easy).
    • sajolida
      sajolida @sajolida ·

      Trac:
      Cc: N/A to sajolida@pimienta.org

    • C
      cypherpunks @cypherpunks ·

      Does stream isolation work properly, i.e. do 2 different RSS feeds always use independent Tor circuits?

    • Trac
      Trac @tracbot ·

      I have set "browser.chrome.favicons" to "false" because otherwise it seemed to me that Thunderbird fetches the favicons of my feeds directly after start because they are not stored on disk. This could be an anonymity risk if two different RSS feeds don't use two independent Tor circuits because all the icons are fetched at the same time.

      Can you reproduce this or is this a problem which only occurs in my case?

      Trac:
      Username: viktorj

    • C
      cypherpunks @cypherpunks ·

      If you forget to disable favicon like above, TB will make a connection silently. So just disable it.

      Disable the link so that a user has to manually copy it and doesn't inadvertently click on it

      When the user click the link, just "copy" it to clipboard. And show "The URL is copied to clipboard" alert. Do not open it in Thunderbird because this is not a browser but a mailer.

    Please register or sign in to reply