User-agent is HUGE privacy and security hole
I am a long time fan of Thunderbird, until I discovered that....
Thunderbird violates my privacy big-time in an unnecessary way in every mail I send. Why does my operating system+ version, my Thunderbird version, my Enigmail and PGP version, the amount of email accounts I have in Thunderbird, my computers IP address within my home network, and other personal information. It is totally unnecessary to incorporate this information in every email i send (see the email headers of the email you send). Every email goes through many servers before reaching its destination, and every person at my Internet Service Provider and everyone on the road to the destination can read thos email headers. I feel violated!
No good will come from that, just bad people and unwanted guests will poke around in that information to violate your privacy or to find a way to attack you. Other mail programs and Webmail do not reveal all that information so it is unnecessary for sending emails.
Thunderbird should change that ASAP.
Untill then: How can I access settings to remove all information that is unnecessary to include in email heathers? How can that be done? Where can I find settings to preserve my privacy and keep me safe from hackers?
Modified
All Replies (15)
Issue is described in https://bugzilla.mozilla.org/show_bug.cgi?id=1114475
I think it lists a workaround
Thanks Wayne Mery,
Reading the whole thread from four years ago I wonder why this is still not implemented. For all, the tip to hide TB version and OS info is: Go to Tools -> Options -> Advanced -> General -> Config Editor -> I'll be careful, I promise and create a New -> String preference with the name general.useragent.override and leave the value empty. I did it and can confirm it works.
What are the workarounds for not disclosing the other information: 1Enigmail version 2PGP version 3mime version 4the amount of email accounts you have in Thunderbird 5computers IP address within my home network 6..the theread from 4 years ago says that from other codes even more personal information can be retreived.
How to get all that info out of the headers. Just like the thread from 4 years ago closes: I think it is highly important that it becomes the standard to exclude that unnecessarily included personal info from the headers. In the meantime how can we set this manually??
HELP
user4 said
Reading the whole thread from four years ago.... How to get all that info out of the headers.
Clearly you missed comment one. I suggest you re read it.
Hi Matt,
Maybe you can clarify what I should have missed according to you. The solution I quoted is from the comment you refer to. It contains one short other remark, which was proven false in the rest of the thread. Thunderbird is the minority that provides a unnecessary User-Agent header. The other programs are not loved because they are full of security and privacy problems and that is why people turn to Thunderbird.
I therefore hope you can clarify your reaction.
You may not know that among others even the Eff (see www.eff.org) promotes Thunderbird. It is a pity that in the email headers Thunderbird fails to protect its users by putting unnecessary data in there that can only harm them.
I had an attack, done by an email attachment, specifically targeted at my OS and guess how they found out which Operating System I use! The whole discussion of 4 years ago has in the time since then just turned much further in the direction of needing to rid email headers of unnecessary information. Information that is (potentially) violating user privacy and provides a surface for attack information. The amount of trouble arising from this information increases exponentially and it is believed that trend might go on. That calls for attention to the subject.
I summed up a numbered amount of 6 items still open, where no solution is provided in the reaction you refer to. I know that many would like to know a solution or a manual workaround.
user4 said
I summed up a numbered amount of 6 items still open, where no solution is provided in the reaction you refer to. I know that many would like to know a solution or a manual workaround.
1. Ask the enigmail people. Or do not use the product. It is not an issue for Thunderbird but the add-on 2. Ask the enigmail people. Or do not use the product. 3. Use plain text. 4. Not sure what you mean. There are some X-Mozilla header lines, but they are internal to Thunderbird. 5. It will be in the range 10.0.0.0 to 10.255.255.255. 172.16.0.0 to 172.31.255.255. 192.168.0.0 to 192.168.255.255. However the RFC does specify a FQDN where available. Have a read of this bug. https://bugzilla.mozilla.org/show_bug.cgi?id=279525 and this one https://bugzilla.mozilla.org/show_bug.cgi?id=68877
6. I have no idea as I have not read the whole bug report and do not intend to.
I had an attack, done by an email attachment, specifically targeted at my OS and guess how they found out which Operating System I use!
The user agent string of your internet browser? The same one that reported to this forum the following
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
That is Firefox 62 running on windows 7 64bit. Much the same information Thunderbird supplies in it's user agent string.
I suggest you familiarize yourself with torbirdy, particularly the settings they change to make Thunderbird "secure enough" for them.
See https://gitweb.torproject.org/torbirdy.git/tree/components/torbirdy.js#n29
Thanks for your reaction Mat,
1 I found a Enigmail solution: In the “options” menu for the "Add-ons" you can select the "Preferences" button to open the OpenPGP preferences dialog. In the "Advanced" tab one can add in the box labeled "Additional parameters for GnuPG", the text "--no-version".
That is telling Enigmail to use the "--no-version" parameter preventing GnuPG from adding the "Version" armor header to its output.
4 the info is indeed in the X-Mozilla headers. Why is that according to you ”internal to Thunderbird” information not kept internal. Why share it to the world when it adds nothing to delivering the email.
5 I read both long threads from 14 years ago in full. Their conclusion is that it is bad practice to reveal the computers IP address (behind the home or business router). Conclusion is that email headers should be cleaned up and cut down on bloat. Also reporting the internal IP address from a user is regarded as in violation of the RFC. Options should be in the menu and not in obscure settings. That means it is something to look in to and it is a mystery why the bug not fixed in the next release as discussed 14 years ago. Why is it still not addressed 14 years later?
We are now 14 years further, in the Snowden era and attacks on Intel ME are made with the internal IP address. That makes a bug already needing attention 14 years ago a safety HOLE. The last years it is advised to set a unique Home IP range in the areas allowed for safety reasons. That makes it sour that Thunderbird reveals the info!
6. Yes that is what i say, revealing 'Firefox 62 running on windows 7 64bit' is a huge safety hazard now-days. That should not be revealed by default. In the headers several codes are used. They are supposed to contain more private info but since the discussion does not reveal in the thread what is revealed in which way I guess it is for the experts to explain that.
Referring to a tool that says it is still in beta for eliminating bugs in Mozilla is bad practice. Limited too as it does not allow to send HTML email. It will slow down receiving email and is not an option in many countries since ISP's there are often pressed to block their email being sent by tor. Not every country is a democracy and that makes it all the more important that email headers are kept clean and no unnecessary leaking of private info takes place by Thunderbird.
Looking forward to solutions.
Modified
user4 said
4 the info is indeed in the X-Mozilla headers. Why is that according to you ”internal to Thunderbird” information not kept internal. Why share it to the world when it adds nothing to delivering the email.
It is not sent with the email. It is stored with the email. You are making assumption based on no information other than what is displayed in the mail store, then offering those assumptions as security issues.
5 it is a mystery why the bug not fixed in the next release as discussed 14 years ago. Why is it still not addressed 14 years later?Could be the developers just have more important things to do. the why is not important and talking bout it will change nothing. 6. Yes that is what i say, revealing 'Firefox 62 running on windows 7 64bit' is a huge safety hazard now-days. That should not be revealed by default.Take it up with the Firefox developers, Edge developers, chrome developers et al. Then when you get it all hidden expect your favorite web page to mess up. Most rely on the information to format the page correctly.
Basically I am done here. I am trying to support Thunderbird users with issues, not debate the relative merits of information in message headers.
Dear Matt,
I like your comments, although they constantly give the feeling of pushing an elephant up the stairs. They now reach a ridiculous level though.
The X-mozilla headers Privacy loving email providers go through a lot of effort to scrub those X-Mozilla headers from Thunderbird emails to preserve users privacy. They do not do that based on assumptions. It is impractical for everyone to use those privacy loving email providers. In some countries you cannot even join them without attracting unwanted government attention. That does not make it something for you to make assumptions about and telling you do not want to look at that from a predisposition standpoint as if you want to support a surveillance state, but it should make it something to take a look at.
5 revealing users internal IP address It is clear that security information is published by Thunderbird which is a security hole, that is confirmed in the threads you linked to. You acknowledge that problem yourself. And what you do next is ridiculous. I am here with Thunderbird, not others. Next you put up a ridiculous smoke screen. You might not realize that what is revealed by web browsing anonymously is quite different from what is revealed in a email that is verifiable sent by someone. Also browsing does not reveal which email program I use and a browser 100% guaranteed does not reveal which version of Thunderbird I use.
What you do comes down to user bashing and deterring others from pointing in possible solution directions. Read the threads you provided and look into the open and positive atmosphere of discussion. I hope others are not deterred by you to step into this discussion. I hope you step up and point to some possible solutions yourself, with help of others I already found 2 solutions.
Hope to hear from you.
Modified
re :I had an attack, done by an email attachment, specifically targeted at my OS and guess how they found out which Operating System I use!
I find it incredible that you can prove that someone unknown to you, maliciously and illegally accessed your sent emails explicitely those sent only via Thunderbird on your computer, to discover what OS you use just to send you a bogus email with an attachment that shouldn't be opened.
That means you have managed to identify the sender of the email and discussed with them the details of how they intercepted your Thunderbird sent emails and the reason they gave was to know what OS you use.
Sorry, but I'm just not buying that.
Most attacks are on Windows OS, you are not an exception. The odds on an email address using a Windows OS is pretty darn high.
Email addresses can be random guesses or gleaned by robots because the user of the email address published it in an online forum or they sent emails which were forward and personal details were not removed etc etc. Nefarious people are a pain in the posterior when they abuse other peoples email addresses, but they are not very good at creating authentic looking emails.
Why would you choose to open an email attachment when you are not 100% certain who sent it and not aware of exactly what it purports to be? Do you not open it in a sand box protected system ? Do you not scan files you are about to open ?
I get dozens of emails with bogus attachments eg: receipts etc. I never open them for obvious reasons.
From a security angle, I would be more concerned about why you are choosing to open and run attachments from unknown sources. Whether the OS info is in the email or not isn't relevant in your case because the odds on you getting the malicious email would still exist and if you insist on opening attachments when you should not be so curious or refuse to use sensible precautions, then you will continue to have issues of the same nature.
I'm not here to discuss whether it says Windows OS in an email header and whether it is right or wrong.
I'm responding because you are not applying basic good practise when you receive and consider what emails are not what they purport to be. This makes you a vulnerable and easy target.
Basics: Do not allow remote content to be automatically displayed. Do not automatically display attachments inline. Do not click on links without checking them first - hover over link and true link is seen in Status bar. Never open any attachment, if you are not 100% sure who sent it. Do not be curious.
Hi Toad-hall
I already knew and had implemented every safety practice you describe. That is quite off-topic though since this thread is about email heathers. I am fine discussing those measures with you in depth if you start another topic for that.
It happened! Displaying information that is totally unnecessary for email delivery that gives a surface for attack is a privacy violation and a HUGE risk for everyone. That is an opinion Thunderbird had, and many experts have, but the solution is not implemented for everyone.
I would be very happy if you know solutions or workarounds.
Go to Tools -> Options -> Advanced -> General -> Config Editor -> I'll be careful, I promise and create a New -> String Name it "mail.smtpserver.default.hello_argument"
As a value you can give anything, a word or even a centence like "closed.thunderbird.security.hole" to make a statement but for some it might be best to go up in the masses unnoticed while keeping your privacy and security and use a faked IP value like for example: "192.168.1.2" could be used as a fake IP value. It might be better to use as a value like: "127.0.0.1" (simply means "my computer") "0:0:0:0:0:0:0:1" (the IP6 value of 127.0.0.1) "::1" (said to be the modern short anotation since Windows Vista and later for 127.0.0.1)
Which ever you choose stops Thunderbird disclosing your (home or business) network security and privacy in every email you send. Which value do you think is better value to add to blend best in the masses?
PS: Why was the title of the thread changed?
Modified
When your mail becomes spam because you spoofed the from IP address, do not complain, you have fixed your security hole.
Hi Matt,
It might be better if you would familiarize yourself with the subject before trolling in the thread. Read for example the links you provide yourself. Putting an internal IP address from behind a company or home router in a header is against specifications and increases the spam score. The spam score lowers by not revealing those internal IP addresses. Even circumventing the Thunderbird security problem until it is fixed by manually inserting [127.0.0.1] instead of a internal IP address into an email header lowers the spam score.
I am convinced that with your knowledge you can have a positive contribution to these problems and would love to see a positive contribution from you.
There are lots of problems remaining like Revealing the number of email accounts in Thunderbird email headers which has no benefit for the user, which useless info can only harm him and also increases other privacy & security issues like identifying clients/locations. The ability to hide the "Openpgp: preference=......" string. Or the sending at every startup of a HTTP request in cleartext to mozilla containing specific Thunderbird version, OS, locale and buildid information. And how about the Thunderbird cookie with no secure flag set and valid for five years. Or the report of Account Autoconfiguration sending the first login with the protocol of plain HTTP which allows an attacker to configure Thunderbird via a man-in-the-middle attack.
Contribute and let us make Thunderbird better, really make it stand out from the crowd, and give users the knowledge and options to make Thunderbird safer.
I am convinced you can contribute to that.
I suggest you get cracking on coding your changes and get them approved by the relevant module owners. I have made the mistake of feeding you, but that ends now. I have no intention of participating further in this thread.
Well Matt, it is a pitty that you just bashed around in the thread and did not participate. Would have been nice if you had participated in making Thunderbird a better product.