Our Latest Release of TorBirdy for Thunderbird Includes New Enigmail Features

by sukhbir | August 4, 2017

Photo by Adam Jones. License: CC-BY-4.0

TorBirdy is an extension for ​Mozilla Thunderbird that configures it to make connections over the Tor network. TorBirdy automatically enhances the privacy settings of Thunderbird and configures it for use over Tor -- think of it as ​Torbutton for Thunderbird.

We are pleased to announce the ninth beta release of TorBirdy: TorBirdy 0.2.3.

This release enables encrypted email headers in Enigmail (as defined by the Memory Hole standard) that helps prevent metadata leaks. Please see Bug 21880 for the general discussion on this topic and why we decided to enable this preference (extensions.enigmail.protectHeaders) in TorBirdy.

This Enigmail feature encrypts the Subject and References headers by moving them into the encrypted message body. The Subject header text is replaced with the dummy text "Encrypted Message" instead of the original text, which is decrypted automatically when the recipient opens the email if they are using Enigmail. If not, and because this feature is not implemented in other mail clients yet, they will see "Encrypted Message" instead of the subject. Note that the Subject header is not lost -- it is still a part of the message and can be decrypted manually if required. This seems to be a rather small trade off compared to sending the Subject header in plain text.

Note that it is possible to disable this from TorBirdy's preferences in case it breaks your email setup. (Please help us by filing a bug report in case this happens.) For an-easy-to-understand introduction to Memory Hole, please refer to this presentation (PDF) by Daniel Kahn Gillmor.

If you are using TorBirdy for the first time, visit the wiki to get started.

There are currently no known leaks in TorBirdy but please note that we are still in beta, so the usual caveats apply.

Here is the complete changelog since v0.2.2:

0.2.3, 04 Aug 2017
* Bug 21880: Enable encrypted email headers for Enigmail (Memory Hole)
* Bug 22569: Update Enigmail values for custom proxy settings
* Bug 22318, 22567: Disable Microsoft Family Safety and Google Safe Browsing
* Update keyserver port to 9150 (Tor Browser default)

We offer two ways of installing TorBirdy: by visiting our website (GPG signature; signed by 0xB01C8B006DA77FAA) or by visiting the Mozilla Add-ons page for TorBirdy.

Please note that there may be a delay -- which can range from a few hours to days -- before the extension is reviewed by Mozilla and updated on the Add-ons page. 

The TorBirdy package for Debian GNU/Linux will be uploaded shortly by Ulrike Uhlig.

Comments

Please note that the comment area below has been archived.

As long as you don't use HTML emails and don't click on weird links in spam emails I think the risk is not very big.

Regarding unix domain sockets: I think you should be able to configure Torbirdy to use them (but I have not tried). There are no Tor Browser patches regarding those sockets anymore that are not ustreamed.

August 06, 2017

In reply to gk

Permalink

mcs wrote https://blog.torproject.org/comment/268858#comment-268858

1. Open about:config in a browser window.
2. Toggle the following two preferences so that their value becomes true:
extensions.torlauncher.control_port_use_ipc
extensions.torlauncher.socks_port_use_ipc
3. Restart Tor Browser.

Unfortunately, thunderbird/torbirdy doesn't use torlauncher -- could you give me a hint, what I have to do to use thunderbird/torbirdy with Unix sockets ports?

Well, it's a Thunderbird extension, so, is there a mobile version of Thunderbird? According to Mozilla's website, Thunderbirds supports Windows, macOS, Linux (https://www.mozilla.org/en-US/thunderbird/). So I guess, that their's somewhere an Andoid/*Linux* version of it, otherwise they wouldn't say so, would they?

Additionaly, it might be not the best idea to put your OpenPGP key/login data on your stock Android phone.

August 05, 2017

Permalink

Anyone has a quick advice?

My TorBirdy is set for "Transparent Torification" needed when Tor is running in a separate Whonix gateway VM. Clicking the "Test Proxy" button loads the "Success" page, and Thunderbird receives all emails OK.
The sent emails are arriving OK to the few email recipients on the same domain / mail server. However, the emails sent to the recipients at other mail services (all other email recipients) never arrive there. There are no visible error messages when sending email.

What's wrong?

Choosing the "Whonix" setting: I don't use standard Whonix completely (not in Whonix Workstation behind Gateway setup). I'm in a custom workstation behind Whonix gateway. Because of that, I chose Transparent Torification.

"May be this will help": no, even choosing "Whonix" option does not help. You see, Thunderbird communicates with my mail server OK. The messages are sent successfully. And my own server has no problem at all. But perhaps most other servers don't like something Torbirdy does to the email headers?

Please help!

However, the emails sent to the recipients at other mail services (all other email recipients) never arrive there. There are no visible error messages when sending email.

What's your email provider? Does your provider support starttls, tls v1.2? Have you set the right smtp settings (name, port) are you using a tor onion service?
(Does it work with older torbirdy versions? Try not to enforce tls 1.2 but set tls min to 1.0)

Maybe the Whonix forum/irc channel is a better place for help (other whonix users may have solved the issue already).

August 07, 2017

Permalink

Hi,

here is my error report:

Torbirdy 0.2.3, Thunderbird 52.2.1 , Debian Stretch.

I start the Tor Browser Bundle and then start Thunderbird with TorBirdy. I try to send a message. But I have this message :
Send Message Error
Sending of message failed.
The message could not be sent because connecting to SMTP server disroot.org failed. The server may be unavailable or is refusing SMTP connections. Please verify that your SMTP server settings are correct and try again, or contact the server administrator.

I tried to send with another server, but I got the same message.

Any idea?

August 08, 2017

In reply to by david (not verified)

Permalink

try,

a) click on "torbirdy,enabled" -> "Open Torbirdy Preferences" -> "Test Proxy Settings", does it say "Congratulations. This browser is configured to use Tor."

b) does the server support tls 1.2 and modern ciphers?

August 08, 2017

Permalink

Ok, I found my problem: torbirdy simpy changed my smtp configuration from STARTTLS to SSL. I put back STARTTLS and it works like a charm!

STARTTLS doesn't enforce TLS (ergo plaintext is a possible fallback) and it seems as if they only support starttls for smtp [1]. Additionally, disroot.org is using Diffie-Hellman parameter's with only 1024 bits (there are rumors that at least one three letter agency is able to decipher them in real-time) and has a questionable set of ciphers [2, 3]. You should at least consider to choose a different mail provider that has a somewhat more 'secure' tls configuration (and/or uses an onion address) like mailbox.org [4, 5]

[1] https://forum.disroot.org/t/email-how-to-setup-email-clients/213
[2] https://www.htbridge.com/ssl/?id=sJRTvHf6
[3] https://tls.imirhil.fr/tls/disroot.org:995
[4] smtp https://tls.imirhil.fr/tls/smtp.mailbox.org:465
[5] mx-server https://tls.imirhil.fr/smtp/tls.mailbox.org

In 2015 at the c3c, there's was at talk about possible attacks on the Diffie-Hellman key exchange by exploiting the fact most services use the same prime number and by doing pre-computations for, say 2-3 prime numbers, one could, at least for those 2-3 prime numbers, attack the Diffie-Hellman 1024 bit key exchange for 80--90% of all websites (the estimated (2015) development costs for semi-custom chips for the post-"pre-computation"-phase were by approx. 100 million dollar).

Link to the talk: https://media.ccc.de/v/32c3-7288-logjam_diffie-hellman_discrete_logs_th…

September 01, 2017

Permalink

Привет всем! Ребята, иногда не запускается orbot на android. Включаю "методом тыка". Почему так происходит и что нужно сделать, чтобы наладить TOR? Я в этих делах ещё совсем "чайник". Помогите разобраться, пожалуйста. Заранее благодарен. Громко не смейтесь смейтесь надо мной!))
Всем добра.
Крым

June 25, 2018

Permalink

Can anyone tell me once and for all if this is correct:

When checking multiple accounts with Thunderbird using TorBirdy, the same IP is used for all accounts; unless one manually changes identity between each single fetching.

(I could not find the answer anywhere else and my poor english does not allow me to hover the whole site fast enough.)

Would it be somehow possible to make TorBirdy change Tor identity for each account checking (or assign one at startup to each account)?

Thnks a lot.