TorBirdy 0.2.1 is released
We are pleased to announce the seventh beta release of TorBirdy: TorBirdy 0.2.1.
This release fixes an annoying usability issue where TorBirdy sets the calendar timezone to UTC thus overriding the local timezone and breaking the calendar functionality; see commit 3ea8e5d and Bug 20157 for more information.
If you are using TorBirdy for the first time, visit the wiki to get started.
There are currently no known leaks in TorBirdy but please note that we are still in beta, so the usual caveats apply.
Here is the complete changelog since v0.2.0 (released on 23 June 2016):
0.2.1, 30 Nov 2016
* Bug 20157: Do not set calendar timezone to UTC
* Bug 20750, 20644: Ensure RSS feeds are displayed in plain text
* Revert setting no_proxies_on to an empty string (see commit b2f6a45b)
* Added support for automatic configuration of systemli.org email accounts
We offer two ways of installing TorBirdy: by visiting our website (GPG signature; signed by [geshifilter-code]<a href="https://www.torproject.org/docs/signing-keys.html.en">0xB01C8B006DA77FA…]) or by visiting the Mozilla Add-ons page for TorBirdy. Please note that there may be a delay -- which can range from a few hours to days -- before the extension is reviewed by Mozilla and updated on the Add-ons page.
(Packages for Debian GNU/Linux will be created and uploaded shortly by Ulrike Uhlig.)
Comments
Please note that the comment area below has been archived.
I'm very happy to read this!
I'm very happy to read this!
Thank you!
Thanks :)
Thanks :)
Does it really protect the
Does it really protect the login/authentication passwords of my Thunderbird emailboxes? Or is there a chance someone else will catch them somewhere along the line?
If your provider uses
If your provider uses TLS/SSL (which every provider pretty much does these days) then your messages to and from your email server are encrypted and thus no node in the Tor route can read their contents.
Does this addon *enforce*
Does this addon *enforce* the use of SSL while connecting to those mailboxes?
I shudder at the thought of getting my email through Tor with no encryption (even if just by accident).
yes, it enforces tls v 1.1
yes, it enforces tls v 1.1
Please make an equivalent of
Please make an equivalent of the "HTTPS Only" Firefox addon.
So TorBirdy won't be vulnerable to SSL downgrade attacks.
You can open Torbirdy and
You can open Torbirdy and set a tick at {{{Transparent Torificion}}}, than all the torbidy seetings are applied but without using the tor deamon on your pc.
I feel this is not a good
I feel this is not a good solution as it creates a new problem of sending your traffic over the clearnet.
Of course you could just set
Of course you could just set them by making some changes to the about:counfig, too. (there are more seeting that might be intressting like not sending your LAN-ip, the email agent string etc)
but to enforce the stronger cipher and certificate pinning all you have to do is to go to the thunderird prefrences open the `advanced editor`
and set
security.ssl3.* false // the asterisk stands for all entries
security.ssl3.ecdhe_rsa_aes_128_gcm_sha256 true
security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256 true
prevent insecure recognition
security.ssl.require_safe_negotiation true
security.ssl.treat_unsafe_negotiation_as_broken true
security.cert_pinning.enforcement_level 2
there's a great page describing literally all the necessary setp unfortunately it's just in German (but hey, feel free to use a translator tool to get the gist)
https://privacy-handbuch.de/handbuch_31d.htm
https://privacy-handbuch.de/handbuch_31k.htm
Thanks for the comment. For
Thanks for the comment. For reference this is also being discussed in https://trac.torproject.org/projects/tor/ticket/20751.
Have a look at the torbirdy
Have a look at the torbirdy wiki, please!
https://trac.torproject.org/projects/tor/wiki/torbirdy
https://trac.torproject.org/projects/tor/wiki/torbirdy
Connection security for both incoming and outgoing servers is set to SSL/TLS.
But don't forget you are using Tor, ie you a free to use Tor-Services (formely known as hiddenservices) and generally speaking use pof onion addresses at least mitigates some of the risks of using ssl/tls-certificates.
Just to add to this comment,
Just to add to this comment, we try to enforce TLS for existing as well as new accounts. But yes, if your mail provider has an onion service, you should use that.
Thanks! Do you think
Thanks! Do you think TorBirdy will ever be in Tails?
TorBirdy is already in
TorBirdy is already in Tails: https://tails.boum.org/doc/anonymous_internet/icedove/index.en.html
I saw that when I read the
I saw that when I read the next blog post "Tor at the Heart: Torbirdy" Shows how much I know! I never found it when using Tails so I just assumed it wasn't included because of its beta status or something else. The debian branding of Thunderbird also confused me a little bit at first. Thanks for the link!
Torbirdy changes the local
Torbirdy changes the local IP that's part of the header to 127.0.0.1 ("fully qualified domain name"), wouldn't it be better to set an IP address that's more likely to be there in the first place? Like 192.168.0.x ?
See
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812115.
Is there a work around for
Is there a work around for getting TorBirdy to work with the latest alpha series of Tor browser? It fails to establish a connection.