Opened 6 years ago

Closed 5 years ago

#6015 closed defect (fixed)

disable plugins

Reported by: proper Owned by: ioerror
Priority: Very High Milestone:
Component: Applications/TorBirdy Version:
Severity: Keywords:
Cc: proper, sukhbir.in@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Just like TorButton, you should probable also disable all plugins.

For example, the Adobe Flash plugin is of no use in Thunderbird.

Plugins introduce new code, complexity, vulnerabilities and I don't see why they should be required. I suggest to block all of them.

Child Tickets

Change History (7)

comment:1 Changed 6 years ago by proper

Component: - Select a componentTorBirdy
Owner: set to ioerror

comment:2 Changed 5 years ago by ioerror

Status: newneeds_information

Does anyone actually have any plugins like flash in their Thunderbird?

comment:3 in reply to:  2 Changed 5 years ago by sukhbir

Cc: sukhbir.in@… added

Replying to ioerror:

Does anyone actually have any plugins like flash in their Thunderbird?

That and don't you think it's better if we just say this for TorBirdy (from https://www.torproject.org/download/download-easy.html.en):

The Tor Browser will block browser plugins such as Flash, RealPlayer, Quicktime, and others: they can be manipulated into revealing your IP address. Similarly, we do not recommend installing additional addons or plugins into the Tor Browser, as these may bypass Tor or otherwise harm your anonymity and privacy

Disabling plugins is a good idea, but it's not feasible to disable all of them, so just let's just warn the user, right?

comment:4 Changed 5 years ago by mikeperry

Doesn't disabling HTML mail cover this?

If not, here's how to disable them in Torbutton:
https://gitweb.torproject.org/torbutton.git/blob/master:/src/chrome/content/torbutton.js#l1713

If you want to keep them out of the Thunderbird address space entirely, you need to patch the bird:
https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0005-Block-all-plugins-except-flash.patch

comment:5 Changed 5 years ago by ioerror

Mike - did you try to push that patch upstream?

comment:6 in reply to:  5 Changed 5 years ago by mikeperry

Replying to ioerror:

Mike - did you try to push that patch upstream?

No, the patch is a hack. The "correct" solution is way more involved and I deemed it not worth the effort compared to other stuff that needed/still needs to be done. See the patch description and the trac comment for details.

comment:7 Changed 5 years ago by sukhbir

Resolution: fixed
Status: needs_informationclosed

Fixed. We now disable all plugins on TorBirdy install (and enable them when TorBirdy is uninstalled).

Note: See TracTickets for help on using tickets.