Delivery-Date: Mon, 22 Jun 2015 16:15:05 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id B1C6F1E004D;
	Mon, 22 Jun 2015 16:15:03 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id BCC0A35E92;
	Mon, 22 Jun 2015 20:14:58 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 35FA235E87
 for <tor-talk@lists.torproject.org>; Mon, 22 Jun 2015 20:14:55 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id HYz2KSPe1TJT for <tor-talk@lists.torproject.org>;
 Mon, 22 Jun 2015 20:14:55 +0000 (UTC)
Received: from ruggedinbox.com (ruggedinbox.com [94.156.77.238])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id EF01E35E82
 for <tor-talk@lists.torproject.org>; Mon, 22 Jun 2015 20:14:51 +0000 (UTC)
Mime-Version: 1.0
Date: Mon, 22 Jun 2015 22:14:45 +0200
From: torbirdyfoo@ruggedinbox.com
To: tor-talk@lists.torproject.org, jacob@appelbaum.net, azadi@riseup.net,
 qubes-users@googlegroups.com
Message-ID: <0c98a2374b6e79b471c452761eaaa7f3@ruggedinbox.com>
X-Sender: torbirdyfoo@ruggedinbox.com
Subject: [tor-talk] Important Information for TorBirdy Users: OS upgrade
 (might) results in failure to mask timezone (observed on Fedora20-21 Qubes
 OS R2)
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Hi,

this is a (pre) information for TorBirdy users (and their developers).

Bug Impact:
Outbound emails disclose the actual timezone in the "Date" header 
(instead of using UTC regardless of actual OS timezone).
This reveals a sender's raw location and more importantly allows 
attackers to link pseudonyms because the timezone in outbound emails 
potentially changed at the same point in time for all used pseudonyms of 
a single entity.

The root cause and affected systems of the problem is not
analyzed yet but I wanted to send this out as soon as possible
so people are aware of this problem and can avoid it until it gets 
fixed.

Are you affected?
It has been observed on Qubes OS R2 default Fedora template after 
changing from Fedora 20 to Fedora 21. It is not known whether this is 
Qubes OS specific in any way.

You can easily check whether you are affected by going to your 'sent' 
mail folder:

- select an email
- ctrl+u to see the source of the email
- search (ctrl+f) "Date:"
- if the line ends with +0000, timezone masking is working (if your OS 
timezone is not +0000)
- if it shows anything else it is not working and you are probably 
affected
(note: there is a TorBirdy setting to explicitly disable this 
protection, of you opted-out than this is entire email is irrelevant to 
you)

If you are affected please add information (your OS) to the bug tracker 
to help debug this.

Trac ticket:
https://trac.torproject.org/projects/tor/ticket/16419

@TorProject: the 'cypherpunks' account is not working, could you enable 
it agains so that people can use it?

Fix?
Not available yet, TorBirdy devs will certainly send out an information 
once this is solved/analyzed.


This bug has been observed after upgrading from Fedora 20 to Fedora 21 
on Qubes OS R2 (default templates) with Thunderbird 31.7.0 and TorBirdy 
0.1.4.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

