Opened 7 years ago

Closed 7 years ago

Last modified 18 months ago

#5997 closed enhancement (wontfix)

ML privacy enhancement: remove incoming mail path before sending mails to mailing list subscribers

Reported by: tagnaq Owned by: rransom
Priority: Immediate Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Would be great if you could "mask" the mail path the mail took to get TO the mx of lists.tpo.

By doing this the first (chronologically) 'Received' header field would always look something like:

Received: from eugeni.torproject.org ([127.0.0.1])
	by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new,
	port 10024)
	with ESMTP id hH68UBL5Ouwu for <tor-talk@lists.torproject.org>;
	Tue, 12 May 2012 12:34:56 +0000 (UTC)

I think it would enhance the privacy of mailing list subscribers which do send emails to the lists, because an email wouldn't leak the current IP/exit node of the sender to all subscribers anymore.

Child Tickets

Change History (23)

comment:1 Changed 7 years ago by mikeperry

+1. We should set an example for FOSS projects everywhere in any way we can, I think.

I also think we need a "Tor Servers" or "Tor Infrastructure" component or something for this sort of thing.

comment:3 Changed 7 years ago by nickm

Call me +0; I think it's a good idea if it doesn't break anything. We should ask some email fogeys.

comment:4 Changed 7 years ago by mikeperry

I wish to preemptive veto any email fogey who thinks it's a good idea to do anything based on IP addresses present in headers.

comment:5 Changed 7 years ago by tagnaq

Others do this already. Have a look at email headers from openwall mailing lists.

comment:6 Changed 7 years ago by weasel

I think we should *not* do this.

comment:7 in reply to:  6 Changed 7 years ago by mikeperry

Replying to weasel:

I think we should *not* do this.

Why?

comment:8 Changed 7 years ago by phobos

Component: CompanyTor Sysadmin Team

comment:9 Changed 7 years ago by mikeperry

Ok, well, since all we have is stop energy to work with here, lets see if we can route around it.

Imagining the worst-case scenario, scrubbing sender "Received" headers from email could make it easier to spoof a subscriber and send mail as them.

tagnaq: Does this happen on openwall? If not, why do you think that is? If so, how do you solve it?

Perhaps there are other reasons I can't guess. But when people block without giving reasons, guessing is all we can really do.

comment:10 Changed 7 years ago by weasel

Resolution: wontfix
Status: newclosed

comment:11 Changed 7 years ago by mikeperry

Resolution: wontfix
Status: closedreopened

Helpful. Can we please restore rational thought around here?

comment:12 Changed 7 years ago by weasel

Resolution: wontfix
Status: reopenedclosed

comment:13 Changed 7 years ago by mikeperry

Resolution: wontfix
Status: closedreopened

I really just want some discussion here.

comment:14 Changed 7 years ago by mikeperry

Owner: changed from phobos to cypherpunks
Status: reopenedassigned

comment:15 Changed 7 years ago by nickm

Guys, this is silly. Weasel, if you've got a reason why this is a bad idea, you should probably say so if you want others to expect it's a bad idea.

comment:16 Changed 7 years ago by nickm

s/expect/accept/

comment:17 in reply to:  9 Changed 7 years ago by tagnaq

Replying to mikeperry:

Imagining the worst-case scenario, scrubbing sender "Received" headers from email could make it easier to spoof a subscriber and send mail as them.

tagnaq: Does this happen on openwall? If not, why do you think that is? If so, how do you solve it?

Not that I would be aware of.

It would be great to hear some arguments so that we can work something out.

In my opinion the tor project should have some of the "strongest" privacy settings to protect its users. I do think that many people are not aware of the negative side effects on their privacy when posting to a public mailing list with its current settings.

comment:18 Changed 7 years ago by tagnaq

Now that the tordev meeting and PETS is over I wanted to ask what the current state of this ticket is? (or more general: How does the decision making process look like at tpo?)

To summarize my view:

  • the change would enhance tor mailing list subscribers' privacy
  • the change is technically feasible as demonstrated by other projects (openwall)
  • no reasons against this change request have been given so far
  • when it comes to privacy tpo should be at least as good as others

comment:19 Changed 7 years ago by mikeperry

We did not discuss it in person, but I sense the major downside is more hassle in terms of dealing with abuse due to email spoofing. With full Received headers, it's relatively easy for the mailinglist to police itself from spoofing. Right now, Fake Jacob Appelbaum would be easy to spot, even though the real one doesn't sign e-mail (nor do any more than a handful of us).

If the amount of noise on IRC is any indication, we experience more trolling than your average FOSS project.. Making it easier to troll our email lists might mean more work for the essentially volunteer admin team.

Hoewever, all that said, my vote still would be for cryptographic authentication on the ML, rather than IP. But I'm also not the one who would have to deal with the fallout.

Of course, that fallout might happen anyways once the IRC trolls learn how to send mail... It's not like they'd really care if the Fake Jake was easy to spot or not...

comment:20 Changed 7 years ago by weasel

Priority: normalminor

comment:21 Changed 7 years ago by cypherpunks

Owner: changed from cypherpunks to rransom
Priority: minorblocker

I think this issue blocks whatever rransom is doing right now. I ain't gonna do it, that's for damn sure.

comment:22 Changed 7 years ago by weasel

Resolution: wontfix
Status: assignedclosed

I do not think we should mess with our mail headers. For one it makes debugging harder, and the RFCs are pretty clear that things that forward mail should not kill Received headers.

I don't know why rransom would block on us breaking mail, but if he is then something is wrong.

I think I'll close this ticket one last time. Since this is in the sysadmin component, that's my call. Do not re-open it.

comment:23 Changed 18 months ago by teor

Severity: Normal

Set all tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.