On 26 May 2012 08:18, Sukhbir Singh <sukhbir...@gmail.com> wrote: > > Hi, > > Karsten N.: > The `reply_header_authorwrote' issue has now been fixed and if you > notice this email, this is the approach we are following: > > %s: > > where %s is the author. So the language preference of the user is not > revealed. If you look at [0], we are setting: > > reply_header_authorwrote to %s > reply_header_type to 1
Wouldn't this (or some of the other header settings) allow the recipient or general public (if a mailing list post) to learn that a person was using TorBirdy? I hate to say it, but "What's the threat model?" A passive attacker watching a user learns the user uses Tor, but unless they do network analysis, nothing else. The same passive attacker watching the IMAP/POP endpoint learns someone is connecting over Tor, and because subsequent SMTP-SMTP connections are often unencrypted (or unauthenticated)[1], they may be able to learn the user's name some of the time; and email contents some of the time if not encrypted with S/MIME or PGP. The entire SMTP-server path is in email headers AFAIK - does that include the connecting IP (e.g. the tor exit node?). If it does, then the next part doesn't matter - if it does not: a recipient wouldn't be able to learn that the sender sent it using TorBirdy... unless TorBirdy used some non-standard and distinguishing email header or setting... like this one. Is that important? It seems like it would be. As an example, go through this thread, and see whose reply header is of the form "On X, Y wrote:" and now you know who's not running the latest version. -tom [1] https://ritter.vg/blog-no_email_security.html _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
