Opened 5 years ago

Last modified 6 months ago

#6359 assigned defect

make use of stream isolation

Reported by: proper Owned by: sukhbir
Priority: Medium Milestone:
Component: Applications/TorBirdy Version:
Severity: Normal Keywords:
Cc: proper, adrelanos, jeremy@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by lunar)

TorBirdy should not use the same circuit that any other torified applications may use. Streams should get isolated.

A different circuit should also be used for each account, similar to what Tor Browser does when isolating different domains.

Child Tickets

Change History (11)

comment:1 Changed 5 years ago by proper

As first "simple" implementation:
Does ThunderBird support socks authentication? I really haven't found it. If it had you could use IsolateSOCKSAuth by using "TorBirdy" as socks auth.

More comprehensive implementation:
Use the accountname (or any other identifies or the hash of it) of the mail account as socks auth for IsolateSOCKSAuth. That way all mail accounts get stream isolated from each other.

What's left:
http traffic... Not sure how this fits in. The blog and news feed reader, updates, addon search, install and updates go over http. What else?

comment:2 in reply to:  1 Changed 5 years ago by tagnaq

Replying to proper:

As first "simple" implementation:
Does ThunderBird support socks authentication?

I don't think so.

More comprehensive implementation:
Use the accountname (or any other identifies or the hash of it) of the mail account as socks auth for IsolateSOCKSAuth. That way all mail accounts get stream isolated from each other.

As far as I know there is only one proxy per Thunderbird instance, if you want to isolate different accounts you currently have to run multiple Thunderbird instances with different proxy settings. Did someone try proxy addons that allow more specific proxy settings?

(or you can do some iptables/TransPort redir tricks based on destination IP/port - but that is just a hack)

What's left:
http traffic... Not sure how this fits in. The blog and news feed reader, updates, addon search, install and updates go over http. What else?

HKP... but everything uses the same specified proxy anyway.

comment:3 Changed 5 years ago by tagnaq

Replying to proper:

TorBirdy should not use the same circuit that any other torified applications may use.

Although that is an adorable goal I wouldn't know of a way that application A can prevent application B from using the same Socks/TransparentPort or same SOCKS auth. cred.

We can try but TorBirdy probably can't guarantee that nobody else is using the same stream.

comment:4 Changed 5 years ago by ioerror

Resolution: wontfix
Status: newclosed

If the user has Tor 0.2.3.x, they get basic stream isolation. It should be good enough for most users with a single email account...

Until Thunderbird supports SOCKS username/passwords, we can't really do anything about this issue. Please file a bug with Thunderbird and we'll implement it in TorBirdy when they support it.

comment:5 in reply to:  3 Changed 18 months ago by adrelanos

Severity: Normal

Replying to tagnaq:

Replying to proper:

TorBirdy should not use the same circuit that any other torified applications may use.

Although that is an adorable goal I wouldn't know of a way that application A can prevent application B from using the same Socks/TransparentPort or same SOCKS auth. cred.

We can try but TorBirdy probably can't guarantee that nobody else is using the same stream.

No need to guarantee that, which is not possible indeed. However, TorBirdy using socks 127.0.0.1:9150 while another application is using the same socks 127.0.0.1:9150 is bad. Not that unlikely, since it is the default TBB socks port that users and other applications tend to re-use.

I suggest TorBirdy should use socks 127.0.0.1:9150 with socks auth TorBirdy_<small random string>. Then it would be stream isolated from another arbitrary application using plain socks 127.0.0.1:9150.

comment:6 in reply to:  4 Changed 18 months ago by adrelanos

Resolution: wontfix
Status: closedreopened

Replying to ioerror:

If the user has Tor 0.2.3.x, they get basic stream isolation.

Please briefly explain why/how.

Until Thunderbird supports SOCKS username/passwords, we can't really do anything about this issue. Please file a bug with Thunderbird and we'll implement it in TorBirdy when they support it.

I don't think it is reasonable to close this ticket and to leave it to chance if a Thunderbird socks username support feature request is posted against Mozilla.

comment:7 Changed 18 months ago by adrelanos

Cc: adrelanos added

comment:8 Changed 18 months ago by cypherpunks

https://bugzilla.mozilla.org/show_bug.cgi?id=1200802 is now marked as fixed in upstream Mozilla. How does that affect the feasibility of implementing stream isolation in TorBirdy?

comment:9 Changed 12 months ago by lunar

Description: modified (diff)
Status: reopenednew

Tor Browser now uses SOCKS username/password to use different circuits for each domain. Does Thunderbird now support using SOCKS username password as well? Would it be complicated to get a different circuit for each account now that it's a reality?

One corner case to be aware of is POP before SMTP. I don't know if these kind of setups are still in use, but they were popular at some point. It would probably be best if the same circuit can be used in such a case, as I believe some implementation would ensure that the same IP is in use for both POP and subsequent SMTP. This is still a minor use case and should not block getting proper isolation between accounts.

Thanks!

comment:10 in reply to:  9 Changed 12 months ago by JeremyRand

Cc: jeremy@… added

Replying to lunar:

Tor Browser now uses SOCKS username/password to use different circuits for each domain. Does Thunderbird now support using SOCKS username password as well? Would it be complicated to get a different circuit for each account now that it's a reality?

One corner case to be aware of is POP before SMTP. I don't know if these kind of setups are still in use, but they were popular at some point. It would probably be best if the same circuit can be used in such a case, as I believe some implementation would ensure that the same IP is in use for both POP and subsequent SMTP. This is still a minor use case and should not block getting proper isolation between accounts.

Thanks!

Yes, Thunderbird supports SOCKS authentication now. The Tor Browser patch against Firefox to support SOCKS authentication was upstreamed to Mozilla in this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1200802 ; it was merged by Mozilla on 2015 Nov 26.

As far as I can tell, Icedove in Debian Jessie includes this support, see https://sources.debian.net/src/icedove/1:45.2.0-1~deb8u1/mozilla/netwerk/base/nsIProxyInfo.idl/#L53 .

So as far as I can tell, it should be straightforward to use this in TorBirdy -- use the standard Mozilla hooks for setting proxy settings per connection (I assume these API's are identical between Firefox and Thunderbird), and set the "username" and "password" fields of the nsProxyInfo instance that you generate to whatever you want them to be.

comment:11 Changed 6 months ago by cypherpunks

Owner: changed from ioerror to sukhbir
Status: newassigned
Note: See TracTickets for help on using tickets.