-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/01/08 21:01, Martin Fick wrote: > --- anonym <[EMAIL PROTECTED]> wrote: > >> On 02/01/08 09:16, anon ymous wrote: >> But I'm more interested in smtp on the "open" >> Internet currently as I don't want to push too many >> new concepts on the people I try to help, >> _and_ I need a solution fast (+ I don't have any >> resources for putting up the required setup for a >> hidden service email). >> >> I would like that smtps got a similar status with >> Tor as http(s) has. IMHO the issues with http(s) >> (e.g. javascript, cookies) seem to be far >> worse than smtp unless I've missed something, so I >> don't understand while it's not focused on more. At >> least until all the issues with anonymous remailers >> have been sorted out (like that you can't reply to >> messages). > > > It seems to me that the problem here really isn't tor, > but rather one of not having an equivalent of privoxy > for SMTPS? HTTP was dealt with easily because people > approached the privacy angle with privoxy > independently of tor. I agree that it would be nice > to start a similar project for SMTP(S). Seems like > hacking a simple remailer such as ssmtp would be one > way to start,
Ok, but how well does privoxy protect against the dreaded javacript based attacks that leaks the actual IP address of the Tor user? I am under the impression that privoxy doesn't protect against this and that completet deactivation of javacript is necessary for security, at least right now (future improvements to privoxy might of course fix this). In any case, my arguemnt is that Thunderbird + Torbutton for smtps is basically just as good as Firefox + Privoxy + Torbutton (which has to deal with javascript, cookies, flash, etc.) is for http(s) unless I miss something. The only thing Thunderbird seems to leak over SMTP is some non-critical stuff in the header, like user-agent (all which easily could be prevented by an addon such as Torbutton wich already does the equivalent for Firfox' http(s) headers). The much more critical issue of including the IP address or hostname of the Tor user's computer in the EHLO/HELO message (sent in the initial steps of smtp) is taken care by Torbutton according to my network sniffing research. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHfaSzp8EswdDmSVgRAowaAJ0a9vKnNvv2NJijNHK09tY0KXh75ACaArxg dtyMcBY2kkcbaMzTfuc7XkA= =qO0C -----END PGP SIGNATURE-----
