Opened 6 years ago

Closed 5 years ago

#6057 closed enhancement (wontfix)

avoid revealing torbirdys anonymity set explicitly

Reported by: proper Owned by: ioerror
Priority: Medium Milestone:
Component: Applications/TorBirdy Version:
Severity: Keywords:
Cc: proper, sukhbir.in@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Child Tickets

Change History (7)

comment:1 Changed 6 years ago by sukhbir

Cc: sukhbir.in@… added

I think there is no clear consensus on this. Should we stick to '%s:' or should we let the user select the language? But then, like tagnaq pointed out, asking the user to select the language is not such a good idea.

comment:2 Changed 6 years ago by proper

Selecting the language again for every e-mail is indeed not wise.

I suggested setting the language per account during account creation.

comment:3 Changed 6 years ago by tagnaq

Hi proper,

I think we have different goals and threat models.
What do you aim for?

We do not aim to look like an ordinary Thunderbird.
We want to have all TorBirdy users in one anonymity set*. We aim to modify multiple headers (UA, message-id, date, enigmail header, ... ) to remove leaks / anonymity set reductions. We do not assume that our MTA is removing our IP address. In fact we do not trust our MTA (or mailing list provider).

*) A TorBirdy user/a user having certain pref settings is easily identified by inspecting the modified headers and Tor exit source IP address.

comment:4 in reply to:  3 ; Changed 6 years ago by proper

Hi tagnaq,

I think we have different goals and threat models.

Yes.

What do you aim for?

If it's not possible to hide being a TorBirdy user from a mailserver, I'd still prefer hiding that fact from the mailing list. Attacks by the mailserver are a higher class than someone on a mailing list who doesn't like one.

We do not aim to look like an ordinary Thunderbird.
We want to have all TorBirdy users in one anonymity set*. We aim to modify multiple headers (UA, message-id, date, enigmail header, ... ) to remove leaks / anonymity set reductions. We do not assume that our MTA is removing our IP address. In fact we do not trust our MTA (or mailing list provider).

*) A TorBirdy user/a user having certain pref settings is easily identified by inspecting the modified headers and Tor exit source IP address.

You got me, I can't suggest technical solutions. I just created tickets to prevent any ideas from the mailing list discussion getting lost. And also this one was one I care about.

It might not be possible. I'll mail Mike right away about this ticket, since he also cared about.

comment:5 in reply to:  4 Changed 5 years ago by tagnaq

Priority: criticalnormal
Summary: Enumerate difficulties with obfuscating useragent from mailinglistsavoid revealing torbirdys anonymity set explicitly
Type: defectenhancement

Replying to proper:

What do you aim for?

If it's not possible to hide being a TorBirdy user from a mailserver, I'd still prefer hiding that fact from the mailing list. Attacks by the mailserver are a higher class than someone on a mailing list who doesn't like one.

We do not pretend to provide this 'feature' so I changed the ticket type from defect to enhancement.
I also changed the ticket title/summary as I think that is what you actually want to achieve.
(title is now more or less a quote from mike's email on tor-talk)

If you want to hide the fact that you are a torbirdy user you would have to change your source IP (exit relays IP) and torbirdy can't help you with that, but this is certainly not the only problem.

Lets assume your mail provider doesn't insert your source IP into mail headers, so this can't be used to identify you as being a tor(birdy) user, but there is still the missing UA header, the modified message-id (in progress), ...

Now you could argue to fake the UA header and set it to a common thunderbird version to blend in with other thunderbird user. This would prevent us from reaching the 'all torbirdy users are in one anonymity set' goal because you would have to update the fake useragent from time to time. And still wouldn't fix the message-id format mismatch.

So for now I don't see how we can achieve your 'feature request' without abandoning other goals (mainly all torbirdy users in one anonymity set and don't reveal timestamp information).
I hope you see my point. (I'm happy to explain further if you wish)

comment:6 Changed 5 years ago by proper

Thanks for your detailed answer! I am ok with your changes to this ticket.

Since Mike hasn't answered and I am unable to suggest a clever technical solution, you are free to close this one as impossible.

If anyone else ever comes up with a solution, ticket may be reopened.

comment:7 Changed 5 years ago by ioerror

Resolution: wontfix
Status: newclosed

If we want a feature request, we need a different bug and a lot of specifics about what is to be implemented.

Note: See TracTickets for help on using tickets.