TorBirdy 0.2.1 is released

We are pleased to announce the seventh beta release of TorBirdy: TorBirdy 0.2.1.

This release fixes an annoying usability issue where TorBirdy sets the calendar timezone to UTC thus overriding the local timezone and breaking the calendar functionality; see commit 3ea8e5d and Bug 20157 for more information.

If you are using TorBirdy for the first time, visit the wiki to get started.

There are currently no known leaks in TorBirdy but please note that we are still in beta, so the usual caveats apply.

Here is the complete changelog since v0.2.0 (released on 23 June 2016):

0.2.1, 30 Nov 2016
* Bug 20157: Do not set calendar timezone to UTC
* Bug 20750, 20644: Ensure RSS feeds are displayed in plain text
* Revert setting no_proxies_on to an empty string (see commit b2f6a45b)
* Added support for automatic configuration of systemli.org email accounts

We offer two ways of installing TorBirdy: by visiting our website (GPG signature; signed by [geshifilter-code]<a href="https://www.torproject.org/docs/signing-keys.html.en">0xB01C8B006DA77FA…]) or by visiting the Mozilla Add-ons page for TorBirdy. Please note that there may be a delay -- which can range from a few hours to days -- before the extension is reviewed by Mozilla and updated on the Add-ons page.

(Packages for Debian GNU/Linux will be created and uploaded shortly by Ulrike Uhlig.)

Anon

December 01, 2016

Permalink

Does it really protect the login/authentication passwords of my Thunderbird emailboxes? Or is there a chance someone else will catch them somewhere along the line?

If your provider uses TLS/SSL (which every provider pretty much does these days) then your messages to and from your email server are encrypted and thus no node in the Tor route can read their contents.

Does this addon *enforce* the use of SSL while connecting to those mailboxes?
I shudder at the thought of getting my email through Tor with no encryption (even if just by accident).

You can open Torbirdy and set a tick at {{{Transparent Torificion}}}, than all the torbidy seetings are applied but without using the tor deamon on your pc.

Of course you could just set them by making some changes to the about:counfig, too. (there are more seeting that might be intressting like not sending your LAN-ip, the email agent string etc)

but to enforce the stronger cipher and certificate pinning all you have to do is to go to the thunderird prefrences open the `advanced editor`

and set


security.ssl3.* false // the asterisk stands for all entries
security.ssl3.ecdhe_rsa_aes_128_gcm_sha256 true
security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256 true

prevent insecure recognition
security.ssl.require_safe_negotiation true
security.ssl.treat_unsafe_negotiation_as_broken true

security.cert_pinning.enforcement_level 2

there's a great page describing literally all the necessary setp unfortunately it's just in German (but hey, feel free to use a translator tool to get the gist)

https://privacy-handbuch.de/handbuch_31d.htm
https://privacy-handbuch.de/handbuch_31k.htm

Have a look at the torbirdy wiki, please!

https://trac.torproject.org/projects/tor/wiki/torbirdy
https://trac.torproject.org/projects/tor/wiki/torbirdy

Connection security for both incoming and outgoing servers is set to SSL/TLS.

But don't forget you are using Tor, ie you a free to use Tor-Services (formely known as hiddenservices) and generally speaking use pof onion addresses at least mitigates some of the risks of using ssl/tls-certificates.

Just to add to this comment, we try to enforce TLS for existing as well as new accounts. But yes, if your mail provider has an onion service, you should use that.

Thanks! Do you think TorBirdy will ever be in Tails?

I saw that when I read the next blog post "Tor at the Heart: Torbirdy" Shows how much I know! I never found it when using Tails so I just assumed it wasn't included because of its beta status or something else. The debian branding of Thunderbird also confused me a little bit at first. Thanks for the link!

Torbirdy changes the local IP that's part of the header to 127.0.0.1 ("fully qualified domain name"), wouldn't it be better to set an IP address that's more likely to be there in the first place? Like 192.168.0.x ?

Is there a work around for getting TorBirdy to work with the latest alpha series of Tor browser? It fails to establish a connection.