wiki:torbirdy/changes

This page describes the Thunderbird preferences TorBirdy changes and enforces. To see which of these settings you can change, visit the preferences page.

The latest preferences can be found on the Git repository in the torbirdy.js file.

Network

  // Use a manual proxy configuration.
  "network.proxy.type": 1,
  // https://bugs.torproject.org/10419
  "network.proxy.no_proxies_on": "",
  // Restrict TBB ports.
  "network.security.ports.banned": "9050,9051,9150,9151",
  // Number of seconds to wait before attempting to recontact an unresponsive proxy server.
  "network.proxy.failover_timeout": 1800,

  // Configure Thunderbird to use the SOCKS5 proxy.
  "network.proxy.socks": "127.0.0.1",
  "network.proxy.socks_port": 9150,
  "network.proxy.socks_version": 5,

  // Set DNS proxying through SOCKS5.
  "network.proxy.socks_remote_dns": true,
  // Disable DNS prefetching.
  "network.dns.disablePrefetch": true,

  // https://lists.torproject.org/pipermail/tor-talk/2011-September/021398.html
  // "Towards a Tor-safe Mozilla Thunderbird"
  // These options enable a warning that tagnaq suggests.

  // Warn when an application is to be launched.
  "network.protocol-handler.warn-external.http": true,
  "network.protocol-handler.warn-external.https": true,
  "network.protocol-handler.warn-external.ftp": true,
  "network.protocol-handler.warn-external.file": true,
  "network.protocol-handler.warn-external-default": true,

  // Likely privacy violations
  // https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting
  // https://bugs.torproject.org/3914
  "network.http.pipelining": true,
  "network.http.pipelining.aggressive": true,
  "network.http.pipelining.maxrequests": 12,
  "network.http.connection-retry-timeout": 0,
  "network.http.max-persistent-connections-per-proxy": 256,
  "network.http.pipelining.reschedule-timeout": 15000,
  "network.http.pipelining.read-timeout": 60000,

  // We do not fully understand the privacy issues of the SPDY protocol
  // We have no reason to believe that anyone would actually use it with
  // Thunderbird but we fail closed to keep users safe out of an abundance of
  // caution.
  "network.http.spdy.enabled": false,
  // We want pipelined requests and a bunch of them, as is explained in the
  // experimental-defense-website-traffic-fingerprinting blog post by Torbutton
  // author Mike Perry.
  "network.http.pipelining.ssl": true,
  "network.http.proxy.pipelining": true,
  "network.http.sendRefererHeader": 2,
  // https://bugs.torproject.org/16673
  "network.http.altsvc.enabled": false,
  "network.http.altsvc.oe": false,

  // Disable proxy bypass issue.
  // Websockets have no use in Thunderbird over Tor; some versions of the
  // underlying Mozilla networking code allowed websockets to bypass the proxy
  // settings - this is deadly to Tor users:
  // https://blog.torproject.org/blog/firefox-security-bug-proxy-bypass-current-tbbs
  // We don't want user's of Thunderbird to even come close to such a bypass
  // issue and so we have disabled websockets out of an abundance of caution.
  "network.websocket.enabled": false,
  // Cookies are allowed, but not third-party cookies. For Gmail and Twitter.
  "network.cookie.cookieBehavior": 1,
  // http://kb.mozillazine.org/Network.cookie.lifetimePolicy
  // 2: cookie expires at the end of the session.
  "network.cookie.lifetimePolicy": 2,
  // Disable link prefetching.
  "network.prefetch-next": false,

Security

  // Default is always false for OCSP.
  // OCSP servers may log information about a user as they use the internet
  // generally; it's everything we hate about CRLs and more.
  "security.OCSP.enabled": 1,
  "security.OCSP.GET.enabled": false,
  "security.OCSP.require": false,
  // Disable TLS Session Ticket.
  // See https://trac.torproject.org/projects/tor/ticket/4099
  "security.enable_tls_session_tickets": false,
  // Enable SSL3?
  // We do not want to enable a known weak protocol; users should use only use TLS
  "security.enable_ssl3": false,
  // Thunderbird 23.0 uses the following preference.
  // https://bugs.torproject.org/11253
  "security.tls.version.min": 1,
  "security.tls.version.max": 3,
  // Display a dialog warning the user when entering an insecure site from a secure one.
  "security.warn_entering_weak": true,
  // Display a dialog warning the user when submtting a form to an insecure site.
  "security.warn_submit_insecure": true,
  // Enable SSL FalseStart.
  // This should be safe and improve TLS performance
  "security.ssl.enable_false_start": true,
  // Reject all connection attempts to servers using the old SSL/TLS protocol.
  "security.ssl.require_safe_negotiation": true,
  // Warn when connecting to a server that uses an old protocol version.
  "security.ssl.treat_unsafe_negotiation_as_broken": true,
  // Disable 'extension blocklist' which might leak the OS information.
  // See https://trac.torproject.org/projects/tor/ticket/6734
  "extensions.blocklist.enabled": false,
  // Strict: certificate pinning is always enforced.
  "security.cert_pinning.enforcement_level": 2,

Mailnews

  // Suggestions from the JAP team on how they'd configure thunderbird
  // http://anonymous-proxy-servers.net/en/help/thunderbird.html

  // Disable the start page.
  "mailnews.start_page.enabled": false,
  // Set UTF-8 as the default charset.
  "mailnews.send_default_charset": "UTF-8",
  // Send plain text with hard line breaks as entered.
  "mailnews.send_plaintext_flowed": false,
  // Display a message as plain text, even if there is a HTML version.
  "mailnews.display.prefer_plaintext": true,
  // Don't display HTML, inline images and some other uncommon content.
  // From: http://www.bucksch.org/1/projects/mozilla/108153/
  "mailnews.display.disallow_mime_handlers": 3,
  // Convert HTML to text and then back again.
  "mailnews.display.html_as": 1,
  // Disable plugin support.
  "mailnews.message_display.allow_plugins": false,
  // Don't convert to our local date. This may matter in a reply, etc.
  "mailnews.display.original_date": true,
  // When replying to a message, set to: '%s'.
  // https://lists.torproject.org/pipermail/tor-talk/2012-May/024395.html
  "mailnews.reply_header_type": 1,
  "mailnews.reply_header_authorwrote": "%s",
  "mailnews.reply_header_authorwrotesingle": "#1:",
  // Show Sender header in message pane (#10226).
  // http://heise.de/-2044405
  // https://bugzilla.mozilla.org/show_bug.cgi?id=332639
  "mailnews.headers.showSender": true,

Mail

  // Prevent hostname leaks.
  "mail.smtpserver.default.hello_argument": "[127.0.0.1]",
  // Compose messages in plain text (by default).
  "mail.html_compose": false,
  "mail.identity.default.compose_html": false,
  // Send message as plain text.
  "mail.default_html_action": 1,
  // Disable Thunderbird's 'Get new account' wizard.
  "mail.provider.enabled": false,
  // Don't ask to be the default client.
  "mail.shell.checkDefaultClient": false,
  "mail.shell.checkDefaultMail": false,
  // Disable inline attachments.
  "mail.inline_attachments": false,
  // Do not IDLE (disable push mail).
  "mail.server.default.use_idle": false,
  // Thunderbird's autoconfig wizard is designed to enable an initial
  // mail fetch (by setting login_at_start) for the first account it
  // creates (which will become the "default" account, see
  // msgMail3PaneWindow.js for details) which side-steps the settings
  // we apply in fixupTorbirdySettingsOnNewAccount(). Hence, fool
  // Thunderbird to think that this initial mail fetch has already
  // been done so we get the settings we want.
  "mail.startup.enabledMailCheckOnce": true,

Browser

  // Disable caching.
  "browser.cache.disk.enable": false,
  "browser.cache.memory.enable": false,
  "browser.cache.offline.enable": false,
  "browser.formfill.enable": false,
  "signon.autofillForms": false,

  // https://bugs.torproject.org/10367
  "datareporting.healthreport.service.enabled": false,
  "datareporting.healthreport.uploadEnabled": false,
  "datareporting.policy.dataSubmissionEnabled": false,
  "datareporting.healthreport.about.reportUrl": "data:text/plain,",

  // https://bugs.torproject.org/16256
  "browser.search.countryCode": "US",
  "browser.search.region": "US",
  "browser.search.geoip.url": "",

  // These have been copied from Tor Browser and don't apply to Thunderbird
  // since the browser surface is limited (Gmail/Twitter) but we set them
  // nevertheless.
  // Disable client-side session and persistent storage.
  "dom.storage.enabled": false,
  // https://bugs.torproject.org/15758
  "device.sensors.enabled": false,
  // https://bugs.torproject.org/5293
  "dom.battery.enabled": false,
  // https://bugs.torproject.org/6204
  "dom.enable_performance": false,
  // https://bugs.torproject.org/13023
  "dom.gamepad.enabled": false,
  // https://bugs.torproject.org/8382
  "dom.indexedDB.enabled": false,
  // https://bugs.torproject.org/13024
  "dom.enable_resource_timing": false,
  // https://bugs.torproject.org/16336
  "dom.enable_user_timing": false,
  // https://bugs.torproject.org/17046
  "dom.event.highrestimestamp.enabled": true,

  // https://bugs.torproject.org/11817
  "extensions.getAddons.cache.enabled": false,

Enigmail

  // We hope the user has Enigmail and if so, we believe these improve security.

  // Disable X-Enigmail headers.
  // We don't want to obviously disclose that we're using Enigmail as it may
  // add privacy destroying headers
  "extensions.enigmail.addHeaders": false,
  // Use GnuPG's default comment for signed messages.
  "extensions.enigmail.useDefaultComment": true,
  // We need to pass some more parameters to GPG.
  "extensions.enigmail.agentAdditionalParam":
                                              // Don't disclose the version
                                              "--no-emit-version " +
                                              // Don't add additional comments (may leak language, etc)
                                              "--no-comments " +
                                              // We want to force UTF-8 everywhere
                                              "--display-charset utf-8 " +
                                              // We want to ensure that Enigmail is proxy aware even when it runs gpg in a shell
                                              "--keyserver-options http-proxy=socks5h://127.0.0.1:9050 ",
                                            
  // The default key server should be a hidden service and this is the only known one (it's part of the normal SKS network)
  "extensions.enigmail.keyserver": "hkp://qdigse2yzvuglcix.onion",
  // Force GnuPG to use SHA512.
  "extensions.enigmail.mimeHashAlgorithm": 5,

Chat and Calender

  // Thunderbird 15 introduces the chat feature so disable the preferences below.
  "purple.logging.log_chats": false,
  "purple.logging.log_ims": false,
  "purple.logging.log_system": false,
  "purple.conversations.im.send_typing": false,

  // Messenger related preferences.
  // Do not report idle.
  "messenger.status.reportIdle": false,
  "messenger.status.awayWhenIdle": false,
  // Set the following preferences to empty strings.
  "messenger.status.defaultIdleAwayMessage": "",
  "messenger.status.userDisplayName": "",
  // Do not connect automatically.
  "messenger.startup.action": 0,
  // Ignore invitations; do not automatically accept them.
  "messenger.conversations.autoAcceptChatInvitations": 0,
  // Do not format incoming messages.
  "messenger.options.filterMode": 0,
  // On copying the content in the chat window, remove the time information.
  // See `comm-central/chat/locales/conversations.properties' for more information.
  "messenger.conversations.selections.systemMessagesTemplate": "%message%",
  "messenger.conversations.selections.contentMessagesTemplate": "%sender%: %message%",
  "messenger.conversations.selections.actionMessagesTemplate": "%sender% %message%",

  // Mozilla Lightning.
  "calendar.useragent.extra": "",
  // We have to set a timezone otherwise the system time is used. "UTC" or
  // "GMT" is not an option so we set it to Europe/London.
  "calendar.timezone.local": "Europe/London",

Other Settings

  // RSS.
  "rss.display.prefer_plaintext": true,
  // These are similar to the mailnews.* settings.
  "rss.display.disallow_mime_handlers": 3,
  "rss.display.html_as": 1,

  // Override the user agent by setting it to an empty string.
  "general.useragent.override": "",

  // Disable WebGL.
  "webgl.disabled": true,

  // Disable Telemetry completely.
  "toolkit.telemetry.enabled": false,

  // Disable Geolocation.
  "geo.enabled": false,

  // Disable JavaScript (email).
  "javascript.enabled": false,

  // Disable WebM, WAV, Ogg, PeerConnection.
  "media.navigator.enabled": false,
  "media.peerconnection.enabled": false,
  "media.cache_size": 0,

  // Disable CSS :visited selector.
  "layout.css.visited_links_enabled": false,

  // Disable downloadable fonts.
  "gfx.downloadable_fonts.enabled": false,

  // Disable third-party images.
  "permissions.default.image": 3,
Last modified 10 months ago Last modified on Jun 6, 2016, 10:56:50 AM