Opened 5 years ago

Closed 18 months ago

#6314 closed defect (fixed)

prevent leak via Date header field (local timestamp disclosure)

Reported by: tagnaq Owned by: ioerror
Priority: High Milestone:
Component: Applications/TorBirdy Version:
Severity: Normal Keywords:
Cc: sukhbir, griffin@…, intrigeri, u@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Emails send with TorBirdy installed are currently leaking local timestamp information via the Date header field.

Sukhbir is preparing a patch for Thunderbird that will allow us to send emails without Date header field.
The Date header will then be inserted by the mail server as described in chapter 4.2.3: http://bit.ly/qDZm7C

Child Tickets

Change History (24)

comment:1 Changed 5 years ago by ioerror

Is there an upstream bug number for this in Mozilla's bug tracker?

comment:2 in reply to:  description Changed 5 years ago by tagnaq

Replying to tagnaq:

Sukhbir is preparing a patch for Thunderbird that will allow us to send emails without Date header field.

patch is available here:
https://raw.github.com/ioerror/torbirdy/master/patches/date.patch

If anyone want to help us to test it with many freemailers:

  1. apply the patch to thunderbirds source and recompile
  2. create a new preference and set it to false:

mailnews.local_date_header_generation = false

send your self an email and tell us whether the email in your Inbox contained a proper Date header.

Here are a few popular freemailers that would be good to test with the patch applied:

  • yahoo
  • hotmail
  • hushmail
  • gmx
  • mail.ru
  • yandex
  • mail.com

comment:5 Changed 5 years ago by sukhbir

Keywords: SponsorT added

comment:6 Changed 4 years ago by sukhbir

Parent ID: #9131

comment:9 Changed 4 years ago by heywoodj123@…

I have torbirdy 0.1.2 running on TB 24.1.1 (built from http://hg.mozilla.org/releases/mozilla-esr24/rev/73cf17fcf5d5) on OS X 10.6.8.

I appreciate the need to avoid leaking location info by masking the local timezone, but it appears this build of torbirdy is going too far. Specifically, I'm seeing that mailnews.reply_header_authorwrote is getting changed from "%s wrote" to "%s", and mailnews.reply_header_ondate is getting changed from "On %s" to null.

Perhaps the above behavior is by design, but that would be a bit odd. What I would expect instead is that the formatting for _ondate is simply changed to use UTC rather than local time (perhaps using some other preference(s)). I see no reason to change _authorwrote at all.

I'm not 100% sure this is due to torbirdy, but from this ticket (and also #6315) it seems the most likely culprit. I am not much of a coder, but would be happy to test a patched version and report back.

Thanks for the excellent extension -- I'm finally able to use TB via Tor, which I've been wanting to do for a very long time.

Cheers,

-H

Last edited 4 years ago by heywoodj123@… (previous) (diff)

comment:10 Changed 4 years ago by heywoodj123@…

Did some more reading and found the explanation in an old 2012 tor-talk thread (https://lists.torproject.org/pipermail/tor-talk/2012-May/024370.html). Should have read that before posting -- sorry.

However, I do share mikeperry's view as expressed in that thread: plugging the timezone leak by setting everything to UTC is good, but other than that I think the best way not to stick out is to use the default TB headers (in the default language). Notwithstanding the arguments made in "Towards a Tor-safe Mozilla Thunderbird," the changes made by Torbirdy to TB's default reply headers make subsequent emails more distinctive, not less.

-H

comment:11 Changed 4 years ago by saint

@sukhbir How married are you to the idea of removing dates entirely? Thunderbird doesn't parse dateless emails very well, as a rule, and even if patched there are other clients that could respond poorly. Could reasonably lead to people thinking that they haven't received a message just by virtue of it being at the bottom of their mail queue.

A better / less-problematic option might be to allow users to override time on a per-message basis (in the compose window).

comment:12 Changed 4 years ago by saint

Cc: griffin@… added

comment:13 in reply to:  11 ; Changed 4 years ago by sukhbir

Replying to saint:

@sukhbir How married are you to the idea of removing dates entirely? Thunderbird doesn't parse dateless emails very well, as a rule, and even if patched there are other clients that could respond poorly. Could reasonably lead to people thinking that they haven't received a message just by virtue of it being at the bottom of their mail queue.

I also personally think that removing the date entirely is not a good idea -- it will likely break things and even if it doesn't for the cases we test with, getting such a patch accepted is going to be very difficult. If you see the ticket on Bugzilla, I think the best option is:

Keep the Date header and ensure it is in UTC (eg: allow some clock disclosure but not time zone to

... and set hh:mm:ss to 00:00:00 or randomize it. Something along those lines is better than removing the date completely.

BTW, just to publicize it, we have now proposed working on these patches as a GSoC project. See make TorBirdy better :)

Last edited 4 years ago by sukhbir (previous) (diff)

comment:14 in reply to:  13 Changed 4 years ago by saint

Replying to sukhbir:

I also personally think that removing the date entirely is not a good idea -- it will likely break things and even if it doesn't for the cases we test with, getting such a patch accepted is going to be very difficult. 

Yes, it seems like this option is holding up patch acceptance. I read the bug reports after hearing it referenced as a GSoC project. =)

... and set hh:mm:ss to 00:00:00 or randomize it.

These are both decent options for enhancing location anonymity, but have negative effects on conversations since it affects email sequence.

Perhaps detect local time and adjust to UTC? e.g. it's 11:45 EST my time, but the sent message would read as 4:45 UTC. Or defer to a server for time information (tlsdate style)?

comment:15 Changed 3 years ago by intrigeri

Cc: intrigeri added

comment:16 Changed 3 years ago by sukhbir

Keywords: SponsorT removed

comment:17 Changed 2 years ago by arthuredelstein

Severity: Normal
Status: newneeds_review

Here's a JS torbirdy patch that allows us to round the Date header down to the nearest minute. It uses a custom Date header emitter that overrides Thunderbird's default Date header emitter.

https://github.com/arthuredelstein/torbirdy/commit/6314

(Alternatively, we could use the custom emitter to cause the Date header to be blank, randomized, rounded to the nearest hour, day, etc.)

This torbirdy patch should mean we won't need a patch for https://bugzil.la/980573. Thanks to jcranmer for helping me understand the Thunderbird logic.

Update: I found a way to simplify the patch considerably. Same github URL.

Last edited 2 years ago by arthuredelstein (previous) (diff)

comment:19 Changed 2 years ago by arthuredelstein

A couple of alternatives are possible:

  1. Provide a modified Date header generator from torbirdy JS code to provide a UTC-formatted date. Here's an example: https://gist.github.com/arthuredelstein/5fdd1a1e7b3133807a59
  1. Provide a header generator that provides an empty Date header. Here's an example patch: https://github.com/arthuredelstein/torbirdy/commit/6314_blank_date

Both (1) and (2) would potentially allow us to leave Thunderbird's default timezone unchanged, so users can see times displayed in the UI in their local timezone.

(2) Leaks no clock offset information at all in the Date header. But it may risk causing problems to some mail servers or clients. Of course, clock offsets may leak via other channels.

Last edited 2 years ago by arthuredelstein (previous) (diff)

comment:20 Changed 2 years ago by u

Cc: u@… added

comment:21 in reply to:  19 Changed 2 years ago by arthuredelstein

To clarify: neither of the patches in comment:19 should necessarily land. We are already sanitizing the Date header because of the patch merged in comment:18. But because of the tradeoffs I am not sure which is the best approach, so I posted the two additional patches here for consideration.

comment:22 Changed 20 months ago by sukhbir

Resolution: fixed
Status: needs_reviewclosed

Patch submitted by arthuredelstein upstream (thanks!); see the above bugzilla ticket. Marking this as fixed.

comment:23 Changed 18 months ago by arthuredelstein

Parent ID: #9131
Resolution: fixed
Status: closedreopened

For reference, there are two patches in torbirdy for this ticket:

https://github.com/ioerror/torbirdy/commit/7169642643b91f203782d8e6a885d53fbb43f49e
https://github.com/ioerror/torbirdy/commit/230ba97882424d35e12794c45db7c6715fe753f9

We patched torbirdy instead of landing a patch in Thunderbird.

comment:24 Changed 18 months ago by arthuredelstein

Resolution: fixed
Status: reopenedclosed
Note: See TracTickets for help on using tickets.