Re: [Tails-dev] TorBirdy: first impressions

Delete this message

Reply to this message
Author: Jacob Appelbaum
Date:  
To: intrigeri
CC: tails-dev, Sukhbir Singh, Jacob Appelbaum
Subject: Re: [Tails-dev] TorBirdy: first impressions
On 06/19/2012 08:15 PM, intrigeri wrote:
> Hi!
>
> Thanks a lot for TorBirdy. I've been evaluating it in practice for
> a while, low-intensity though, and noticed no obvious problem, but
> this was in no way a serious audit.
>


Thanks for looking! I hope you guys will ship it in Tails - I plan to
package it for Debian in the next weeks. Would you be willing to inspect
my package?

> Then, I just had a quick look at the code.
> A few comments and questions follow.
>
> About:
>
> // Anything that would cause another proxy type to be used, we'll make them
> // fail closed with the following - if it can fail closed, that is!
> pref("network.proxy.ssl", "127.0.0.1");
> pref("network.proxy.ssl_port", 8118);
> pref("network.proxy.http", "127.0.0.1");
> pref("network.proxy.http_port", 8118);
> pref("network.proxy.ftp", "127.0.0.1");
> pref("network.proxy.ftp_port", 8118);
>
> I don't understand why 127.0.0.1:8118 should be equivalent to "fail
> closed": there may very well be a non-torifying proxy (such as
> Privoxy) behind this port.
>


There is no way to fail closed, sadly - without well, something there. :(

In theory, I could put port 0 and that should fail almost always...

> About:
>
> // XXX: TODO --hidden-recipient should be used for each person but perhaps
> // --throw-keyids will be an OK stopgap?
>
> In my experience, --hidden-recipient / --throw-keyids are a pain in
> practice, especially for recipients that happen to handle a number of
> contextual identities, and OpenPGP key pairs thereof. So, I doubt it's
> TorBirdy's job to force this upon its users: IMHO, the (probably rare)
> incursions of Torbirdy into areas that are not strictly related to the
> stated "brings safe Tor support to Thunderbird" goal should be very
> careful and consensual.
>


Once we add an option panel to configure, I think we can set that or
unset it easily. However, I think that it is absolutely imperative to
use that option with gpg and thunderbird. Otherwise, we leak a
cryptographic identity, directly, not indirectly. :(

All the best,
Jake