Re: [tor-talk] Thunderbird leak
* on the Mon, Jan 27, 2014 at 10:56:17AM -0800, Al Billings wrote: Yes but you have to choose to view the original html or it doesn't do anything. So, by default, users will not be automatically exploited. They have to get a bad email and then choose menu options for that one email to then be able to click on a link which then might have content The above statement is all wrong. Thunderbird by default displays emails as original HTML. Only when you install TorBirdy does that change. This is why it was considered a moderate security issue. No, I don't believe that played any part in the classification. It isn't a drive by exploit where you send mail to people and then something happens to them. They have to actively cooperate to be exploited. It requires the user to receive an email, and then click a link in that email. This is not unusual behaviour. It is a bug, yes, but it isn???t as bad as was being painted the other day here. It is a horrible bug for Tor users who are using Thunderbird without TorBirdy. To clarify, at no point did I state that TorBirdy users were affected. I brought up the issue here exactly so that those sorts of issues could be investigated. I suggest if you are going to make any further statements about the way the bug works, you replicate it first. The bug report is now public. Somebody has submitted a patch, but they've also suggested that there may be similar bugs in the MathML code waiting to be found. -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
Yes, I’m on the bug where you refer to me as “Al Billings” (with quotes) as if that isn’t my name… From: Mike Cardwell Mike Cardwell Reply: tor-talk@lists.torproject.org tor-talk@lists.torproject.org Date: January 28, 2014 at 12:41:12 AM To: tor-talk@lists.torproject.org tor-talk@lists.torproject.org Subject: Re: [tor-talk] Thunderbird leak The bug report is now public. Somebody has submitted a patch, but they've also suggested that there may be similar bugs in the MathML code waiting to be found. -- Al Billings http://makehacklearn.org -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
* on the Tue, Jan 28, 2014 at 12:42:56AM -0800, Al Billings wrote: Yes, I'm on the bug where you refer to me as Al Billings (with quotes) as if that isn't my name... If somebody put my name in quotes, I wouldn't immediately jump to the conclusion that they're claiming that it isn't my name, nor would I care. But then I wouldn't go around making incorrect claims about bugs without testing them first either. I'm sorry if I hurt your feelings by pointing out that you were wrong on your employers bugzilla board, but it's your own fault for not backing up your claims. Unless you've got something useful to add regarding the bug, please don't continue adding noise, on this list, or on the bugzilla page. All you've done so far is confuse matters. I wont be taking part in this thread on tor-talk any further. If anyone is interested in following the issue, see: https://bugzilla.mozilla.org/show_bug.cgi?id=700979 -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
Mike Cardwell: I am not on the Tails list. Perhaps somebody who is already there might bring it up? No point in doing so. Thunderbird is not currently shipped by Tails. -- Lunar lu...@torproject.org signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
On 1/26/2014 10:03 PM, Moritz Bartl wrote: On 01/26/2014 08:42 PM, Al Billings wrote: What is the bug number? https://grepular.com/Security_Bug_Thunderbird_Websites_Tabs The bugzilla report is currently locked from being viewed, but for when it becomes unlocked, here it is: bug 700979 https://bugzilla.mozilla.org/show_bug.cgi?id=700979 That's odd. Once logged into bugzilla, I've never seen you are not authorized to view this bug. But maybe it happens. Why would they lock it so others can't add to comments, unless they know it's a problem want to keep a lid on it, till find a fix? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
* on the Mon, Jan 27, 2014 at 08:13:58AM -0600, Joe Btfsplk wrote: What is the bug number? https://grepular.com/Security_Bug_Thunderbird_Websites_Tabs The bugzilla report is currently locked from being viewed, but for when it becomes unlocked, here it is: bug 700979 https://bugzilla.mozilla.org/show_bug.cgi?id=700979 That's odd. Once logged into bugzilla, I've never seen you are not authorized to view this bug. But maybe it happens. Why would they lock it so others can't add to comments, unless they know it's a problem want to keep a lid on it, till find a fix? Security related bugs are hidden by default and only made public when a fix is rolled out. This is very common. They are aware that this issue is now public information so I assume they'll be unlocking it at some point. Unfortunately, in this instance, I think this private disclosure has allowed the issue to go unfixed for a long time. I probably should have made it public much sooner. -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
On 1/26/2014 7:14 PM, Al Jigong Billings wrote: Like I said, Thunderbird doesn't allow for pages to open in tabs without an extension. So., if you have reliable repro steps, it is a bug that should be fixed and I can push on it to get it addressed. Unless I can get one of the specially crafted emails to do tests, doubt I'll be able to reproduce it. Preferably, acquire a special email w/ links, determined safe or one created just for testing. Obviously, not going to click every link in all msgs from known / unknown sources. Happened only couple times IIRC - months ago spaced apart. But, I don't normally click ANY links in email. Impossible to tell how many may've shown this behavior. If I'm not imagining it, Mozilla could've fixed it by now. Or not. Someone mentioned (perhaps?) for some of the special msgs, they're missing the copy link location option? If so, could just R click links to check. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
You can jave the copyrights to all my info for the test regarding tor talk. I want to forget this ever happened. You are a genius btw. And thank you again. How can I get my privacy back? Julie Chartier On Jan 27, 2014 9:47 AM, Joe Btfsplk joebtfs...@gmx.com wrote: On 1/26/2014 7:14 PM, Al Jigong Billings wrote: Like I said, Thunderbird doesn't allow for pages to open in tabs without an extension. So., if you have reliable repro steps, it is a bug that should be fixed and I can push on it to get it addressed. Unless I can get one of the specially crafted emails to do tests, doubt I'll be able to reproduce it. Preferably, acquire a special email w/ links, determined safe or one created just for testing. Obviously, not going to click every link in all msgs from known / unknown sources. Happened only couple times IIRC - months ago spaced apart. But, I don't normally click ANY links in email. Impossible to tell how many may've shown this behavior. If I'm not imagining it, Mozilla could've fixed it by now. Or not. Someone mentioned (perhaps?) for some of the special msgs, they're missing the copy link location option? If so, could just R click links to check. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
Joe Btfsplk: On 1/26/2014 7:14 PM, Al Jigong Billings wrote: Like I said, Thunderbird doesn't allow for pages to open in tabs without an extension. So., if you have reliable repro steps, it is a bug that should be fixed and I can push on it to get it addressed. Unless I can get one of the specially crafted emails to do tests, doubt I'll be able to reproduce it. For me it was enough to do this on a Thunderbird Unix Mailspool (Movemail) account (Settings/Account Actions/Add Other Account...): $ cat | sendmail -t From: $YOUR_USER To: $YOUR_USER MIME-Version: 1.0 Subject: Test Content-Type: text/html html body svg xmlns=http://www.w3.org/2000/svg; xmlns:xlink=http://www.w3.org/1999/xlink; version=1.1 a xlink:href=https://www.mozilla.org/; xlink:show=new text x=0 y=12 font-family=Verdana font-size=12 fill=blackClick me/text /a /svg /body /html [CTRL]+[D] Though I don't know whether it makes a difference to use unix mailspool instead of a normal IMAPS/POPS: When I opened that email and set View/Message Body As/Original HTML, Torbirdy did not prevent the tab to load nor refuse to display the HTML. (Maybe this is intended, because Torbirdy only focuses on normal email accounts(?)) -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
It is a sec moderate bug for a reason. It doesn't affect the default view according to those who have tested it. You have to select view original html. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
P.s. I didnt say nothing to no one Julie Chartier On Jan 27, 2014 12:19 PM, Al Jigong Billings alb...@openbuddha.com wrote: It is a sec moderate bug for a reason. It doesn't affect the default view according to those who have tested it. You have to select view original html. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
Can you make that pop up on my screen? P.s. donation can be made tomorrow, or maybe after 5. Check has to clear first Julie Chartier On Jan 27, 2014 12:19 PM, Al Jigong Billings alb...@openbuddha.com wrote: It is a sec moderate bug for a reason. It doesn't affect the default view according to those who have tested it. You have to select view original html. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
Yes but you have to choose to view the original html or it doesn’t do anything. So, by default, users will not be automatically exploited. They have to get a bad email and then choose menu options for that one email to then be able to click on a link which then might have content… This is why it was considered a “moderate” security issue. It isn’t a drive by exploit where you send mail to people and then something happens to them. They have to actively cooperate to be exploited. It is a bug, yes, but it isn’t as bad as was being painted the other day here. Al From: nb.linux nb.linux Reply: tor-talk@lists.torproject.org tor-talk@lists.torproject.org Date: January 27, 2014 at 10:56:17 AM To: tor-talk@lists.torproject.org tor-talk@lists.torproject.org Subject: Re: [tor-talk] Thunderbird leak When I opened that email and set View/Message Body As/Original HTML, Torbirdy did not prevent the tab to load nor refuse to display the HTML. (Maybe this is intended, because Torbirdy only focuses on normal email accounts(?)) -- Al Billings http://makehacklearn.org -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
nb.linux: When I opened that email and set View/Message Body As/Original HTML, Torbirdy did not prevent the tab to load nor refuse to display the HTML. (Maybe this is intended, because Torbirdy only focuses on normal email accounts(?)) No, this is not related to the type of emails accounts but because you explicitly asked Thunderbird to display the message in its original HTML form and thus were able to reproduce this behaviour. If TorBirdy is enabled, it will convert the HTML to plain text (sanitizing it) before displaying it. -- Sukhbir -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
form and thus were able to reproduce this behaviour. If TorBirdy is enabled, it will convert the HTML to plain text (sanitizing it) before displaying it. Just to clarify: Thunderbird does the HTML sanitization, not TorBirdy. TorBirdy just makes sure that the relevant preferences are enabled and enforced. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Thunderbird leak
I just blogged about a general security issue in Thunderbird which may also affect people who are using Tor: https://grepular.com/Security_Bug_Thunderbird_Websites_Tabs Basically, an email can be crafted such that when you click a link in that email it is opened within a Thunderbird tab instead of in your usual (potentially torified) web browser. Bypassing any other defenses you might also have, including NoScript etc. -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
Also you might want to post this on the tails list. On Sun, Jan 26, 2014 at 5:33 PM, Andrew F andrewfriedman...@gmail.comwrote: YIKES... Are you sure, how did this slip by? On Sun, Jan 26, 2014 at 3:06 PM, Mike Cardwell t...@lists.grepular.comwrote: I just blogged about a general security issue in Thunderbird which may also affect people who are using Tor: https://grepular.com/Security_Bug_Thunderbird_Websites_Tabs Basically, an email can be crafted such that when you click a link in that email it is opened within a Thunderbird tab instead of in your usual (potentially torified) web browser. Bypassing any other defenses you might also have, including NoScript etc. -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
YIKES... Are you sure, how did this slip by? On Sun, Jan 26, 2014 at 3:06 PM, Mike Cardwell t...@lists.grepular.comwrote: I just blogged about a general security issue in Thunderbird which may also affect people who are using Tor: https://grepular.com/Security_Bug_Thunderbird_Websites_Tabs Basically, an email can be crafted such that when you click a link in that email it is opened within a Thunderbird tab instead of in your usual (potentially torified) web browser. Bypassing any other defenses you might also have, including NoScript etc. -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
On 1/26/2014 11:33 AM, Andrew F wrote: YIKES... Are you sure, how did this slip by? On Sun, Jan 26, 2014 at 3:06 PM, Mike Cardwell t...@lists.grepular.comwrote: I just blogged about a general security issue in Thunderbird which may also affect people who are using Tor: https://grepular.com/Security_Bug_Thunderbird_Websites_Tabs Basically, an email can be crafted such that when you click a link in that email it is opened within a Thunderbird tab instead of in your usual (potentially torified) web browser. Bypassing any other defenses you might also have, including NoScript etc. -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk I've seen a few links in emails open in new Tbird tabs, instead of Firefox (email from persons I know, or think I know it's from them) . I usually just copy links paste in Fx. Safer. If it's from someone I know AND was expecting a msg, I rarely forget just click links. Rarely, those WILL open in a new Tbird tab, but usually in default browser (Fx). Don't know if has (anything) to do w/ Tbird options setting, under Advanced Reading Display: Open Messages In: New tab; New msg window; Existing msg window. Never seen a Tbird setting about open links in -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
Mike Cardwell wrote (26 Jan 2014 18:34:59 GMT) : Also you might want to post this on the tails list. I am not on the Tails list. Perhaps somebody who is already there might bring it up? FYI, Tails does not ship Thunderbird. Also, anyone can post on the Tails lists (no need to subscribe first). Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
* on the Sun, Jan 26, 2014 at 05:33:45PM +, Andrew F wrote: YIKES... Are you sure, how did this slip by? Yes, I am sure. Also you might want to post this on the tails list. I am not on the Tails list. Perhaps somebody who is already there might bring it up? -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
* on the Sun, Jan 26, 2014 at 12:04:24PM -0600, Joe Btfsplk wrote: I've seen a few links in emails open in new Tbird tabs, instead of Firefox (email from persons I know, or think I know it's from them) . I usually just copy links paste in Fx. Safer. If it's from someone I know AND was expecting a msg, I rarely forget just click links. Rarely, those WILL open in a new Tbird tab, but usually in default browser (Fx). As mentioned in the blog post, when right clicking one of these links in order to select Copy Link Location from the context menu, you will find that the option is missing. I imagine that many people at this point would skip their usual copy/paste routine and just click the link for convenience. Don't know if has (anything) to do w/ Tbird options setting, under Advanced Reading Display: Open Messages In: New tab; New msg window; Existing msg window. Never seen a Tbird setting about open links in You're definitely not supposed to be able to do this. Mozilla acknowledged that it was a security issue and classified it as moderate. It has been over two years since I told them about it and it hasn't been fixed, hence why I am now making it public. -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
Did you open a bug on it within Mozilla's bugzilla? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
This issue does not affect TorBirdy as it disables HTML emails. From [0]: emails you send will be in plain text and HTML emails you receive will be sanitized and converted to plain text. (I have tried to reproduce this leak and can confirm that Thunderbird + TorBirdy is not vulnerable.) [0] - https://trac.torproject.org/projects/tor/wiki/torbirdy#HowdoIsendandreceiveHTMLemails -- Sukhbir -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
Assuming we’re talking about people opening web pages in TB tabs, that normally can only happen if someone installs Thunderbrowse or a similar extension. By default, TB doesn’t render web pages. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
At Sun, 26 Jan 2014 17:33:19 + tor-talk@lists.torproject.org wrote: YIKES... Are you sure, how did this slip by? On Sun, Jan 26, 2014 at 3:06 PM, Mike Cardwell t...@lists.grepular.comwrote: I just blogged about a general security issue in Thunderbird which may also affect people who are using Tor: https://grepular.com/Security_Bug_Thunderbird_Websites_Tabs Basically, an email can be crafted such that when you click a link in that email it is opened within a Thunderbird tab instead of in your usual (potentially torified) web browser. Bypassing any other defenses you might also have, including NoScript etc. The woes of HTML E-Mail... -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- Robert Heller -- 978-544-6933 / hel...@deepsoft.com Deepwoods Software-- http://www.deepsoft.com/ () ascii ribbon campaign -- against html e-mail /\ www.asciiribbon.org -- against proprietary attachments -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
What is the bug number? -- Al Billings http://www.openbuddha.com http://makehacklearn.org On Sunday, January 26, 2014 at 10:43 AM, Mike Cardwell wrote: You're definitely not supposed to be able to do this. Mozilla acknowledged that it was a security issue and classified it as moderate. It has been over two years since I told them about it and it hasn't been fixed, hence why I am now making it public. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
On 1/26/2014 1:15 PM, Al Billings wrote: Assuming we’re talking about people opening web pages in TB tabs, that normally can only happen if someone installs Thunderbrowse or a similar extension. By default, TB doesn’t render web pages. I thought the same thing. I'm pretty sure I've had links in email open IN Tbird tabs. It happened so rarely, took me by surprise. For safety, I never really clicked links in email. After that, I never do. I'm guessing it may've been a confirmation email for website forum, tech support w/ a link, etc. Something I expected, or likely wouldn't just have clicked it, regardless of what Tbird's supposed / not supposed to do. Of course, NSA could've intercepted the real confirmation sent a link that downloaded malware. If R click copy link location was missing, I'd not click it at all, or erase msg or at bare minimum (if it was important), look at the msg source to see the real link. When you're tired, may not realize you're in email absent mindedly click a link. Rather than a browser - where it's common to click links. Something to be said for using email text only mode. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
Like I said, Thunderbird doesn't allow for pages to open in tabs without an extension. So., if you have reliable repro steps, it is a bug that should be fixed and I can push on it to get it addressed. Al On Jan 26, 2014 5:11 PM, Joe Btfsplk joebtfs...@gmx.com wrote: On 1/26/2014 1:15 PM, Al Billings wrote: Assuming we’re talking about people opening web pages in TB tabs, that normally can only happen if someone installs Thunderbrowse or a similar extension. By default, TB doesn’t render web pages. I thought the same thing. I'm pretty sure I've had links in email open IN Tbird tabs. It happened so rarely, took me by surprise. For safety, I never really clicked links in email. After that, I never do. I'm guessing it may've been a confirmation email for website forum, tech support w/ a link, etc. Something I expected, or likely wouldn't just have clicked it, regardless of what Tbird's supposed / not supposed to do. Of course, NSA could've intercepted the real confirmation sent a link that downloaded malware. If R click copy link location was missing, I'd not click it at all, or erase msg or at bare minimum (if it was important), look at the msg source to see the real link. When you're tired, may not realize you're in email absent mindedly click a link. Rather than a browser - where it's common to click links. Something to be said for using email text only mode. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
On 01/26/2014 08:42 PM, Al Billings wrote: What is the bug number? https://grepular.com/Security_Bug_Thunderbird_Websites_Tabs The bugzilla report is currently locked from being viewed, but for when it becomes unlocked, here it is: bug 700979 https://bugzilla.mozilla.org/show_bug.cgi?id=700979 -- Moritz Bartl https://www.torservers.net/ -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
Yep. Already found it and just commented on it. From: Moritz Bartl Moritz Bartl Reply: tor-talk@lists.torproject.org tor-talk@lists.torproject.org Date: January 26, 2014 at 9:11:30 PM To: tor-talk@lists.torproject.org tor-talk@lists.torproject.org Subject: Re: [tor-talk] Thunderbird leak On 01/26/2014 08:42 PM, Al Billings wrote: What is the bug number? https://grepular.com/Security_Bug_Thunderbird_Websites_Tabs The bugzilla report is currently locked from being viewed, but for when it becomes unlocked, here it is: bug 700979 https://bugzilla.mozilla.org/show_bug.cgi?id=700979 -- Moritz Bartl https://www.torservers.net/ -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- Al Billings http://makehacklearn.org -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
