Opened 7 months ago

Last modified 7 months ago

#22484 new enhancement

TB 52+ leaks installed dictionary

Reported by: Fleming Owned by: sukhbir
Priority: Medium Milestone:
Component: Applications/TorBirdy Version:
Severity: Normal Keywords:
Cc: mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

TB 52 introduced a new header Content-Language with no option to turn it off.

Official changelog says about that:Dictionary setting is restored when editing a draft. Content-Language header (RFC 3282) transmitted with message.

Mentioned RFC warns us (Paragraph 4, Security considerations) that incorrect implementation would lead to a privacy leak, which truly happens. For example, you could forge name, timezone and IP to pretend to be a citizen of Iceland, but Content-Language header would leak Content-Language: ru-English, meaning the author rather comes from Eastern Europe.

What shall we do about that?

Child Tickets

Change History (5)

comment:1 Changed 7 months ago by arma

Is there a ticket for "there's no about:config setting for changing it" in the mozilla bugtracker?

comment:2 Changed 7 months ago by sukhbir

This is interesting. Have you been able to reproduce this bug? (I will try shortly but I thought I should ask you as well.)

comment:3 Changed 7 months ago by cypherpunks

That's not a bug, it a feature! If you receive an email (or reedit a draft), Thunderbird 52 uses the Content-Language header field to pick the right dictionary if installed.

On my machine it's reproducible, every email I send (except gpg emails) have the header field Content-Language: with the language option depending on the uses dictionary, eg. en-US.

Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit

comment:4 Changed 7 months ago by mcs

Cc: mcs added

comment:5 in reply to:  1 Changed 7 months ago by Fleming

Replying to arma:

Is there a ticket for "there's no about:config setting for changing it" in the mozilla bugtracker?

Found one here https://bugzilla.mozilla.org/show_bug.cgi?id=1370217

Note: See TracTickets for help on using tickets.