TorBirdy 0.2.0: Sixth Beta Release

by sukhbir | June 23, 2016

We are pleased to announce the sixth beta release of TorBirdy and the first in the 0.2 series: TorBirdy 0.2.0. All users are encouraged to upgrade as this release fixes numerous security and privacy issues.

Notable changes include fixing local timestamp disclosure in the date and the message-ID headers, as detailed in tickets #6314 and #6315. The patch for sanitizing the date header is shipped with TorBirdy. The patch for the message-ID header was submitted upstream to Mozilla and merged in Thunderbird 45, and it is therefore recommended that you upgrade to Thunderbird 45 if possible.

There are currently no known leaks in TorBirdy but please note that we are still in beta, so the usual caveats apply.

If you are using TorBirdy for the first time, visit the wiki to get started.

Other changes in this release include:

0.2.0, 27 Jun 2016

* Bug #6314: Prevent local timestamp disclosure via Date header
* Bug #6315: Prevent local timestamp disclosure via Message-ID header
* Bug #13721: Fix usage of wrong locale
* Bug #17426: Allow configuration of default email protocol
* Bug #15459: Add support for deterministic XPI generation
* Bug #11387, #13006: Fix non-standard EHLO argument
* Bug #17118: Allow manual account configuration for Gmail with OAuth2
* Bug #19031: Add and audit support for RSS reader
* Bug #7847: Audit and update support for NNTP
* Bug #10683: Update Thunderbird UI to reflect TorBirdy's state
* Bug #19330: Set secure defaults for outgoing mail servers
* Removed compatibility for older versions of Thunderbird and added support for Thunderbird 37+
* Added support for automatic configuration of Riseup email accounts
* Updated various privacy and security settings (see commit 2bdeffbb for a list of the changes)
* Update translations for current languages

Many thanks to Arthur Edelstein and the Tails Developers for this release!

We offer two ways of installing TorBirdy -- either by visiting our website (GPG signature; signed by 0xB01C8B006DA77FAA) or by visiting the Mozilla Add-ons page for TorBirdy. Please note that there may be a delay -- which can range from a few hours to days -- before the extension is reviewed by Mozilla and updated on the Add-ons page.

(Packages for Debian GNU/Linux will be created and uploaded shortly.)

Comments

Please note that the comment area below has been archived.

June 28, 2016

Permalink

Should we infer that you took over TorBirdy from JA? What does this mean for TM development?

June 28, 2016

In reply to sukhbir

Permalink

Very glad to hear it! Keep up all your good work, don't let the current bad press get you down!

June 29, 2016

Permalink

I've used birdie since it came out I think in both an msw and linux environments. This is the first time this has happened so I'm sharing it with you. When I read the article on the new release I went to check if it was upgraded and to my surprise it was updated and disabled. I know nobody has had access and I wouldn't ever disable it without going offline firsts. So why would such a thing happen. No I am getting paranoid and I'll check for the green thngy being on before switching to online. This is on debian 8.5 with icedove. Any cluess?

As far as the update goes, it is possible that you read the article after the extension was added to Mozilla Add-ons and therefore it was updated automatically. About the extension being disabled, what version of Thunderbird you were using? Note that TorBirdy is supported for Thunderbird 37+.

July 01, 2016

Permalink

IceD 45.1,0

Since it never happened before I am wondering for how long it was under this condition and I did not know. I am also trying to find out if you have an onion server address without birdie the connection wouldn't be possible, would there be a warning such as "server address unreachable" or something like this which I never saw.

I think I will turn autoupdate totally off anywhere I can because if I am sure of anything 100% is that I did not disable it myself.

If it helps, starting with the current release, TorBirdy will reflect status changes (enabled/disabled/uninstalled) without a restart so that should help in such problems. (See #10683).

July 02, 2016

Permalink

Hello, since this version it is no possible to set IP-addresses for no proxy. I've running an e-mail server on 127.0.0.1. Thunderbird can not get messages from this server. Is there a specific reasons for this change?

Thanks for reporting. This is due to setting network.proxy.no_proxies_on to "". Thinking about it, it actually breaks more than the benefits it gives so I think we will revert this setting in the new release. For now, you can delete line line 49 in components/torbirdy.js and build an XPI for yourself (running `make` should be enough). I will update this.

July 06, 2016

Permalink

Where I can delete the cache? Some CSS has wrong design on web page and I wanna delete all the cache.