Bug 4177 - Reduce fingerprinting when using TOR proxy
Summary: Reduce fingerprinting when using TOR proxy
Status: NEW
Alias: None
Product: Claws Mail
Classification: Unclassified
Component: Other (show other bugs)
Version: 3.17.4
Hardware: PC All
: P3 enhancement
Assignee: users
URL:
Depends on:
Blocks:
 
Reported: 2019-03-15 14:20 CET by George
Modified: 2019-03-16 00:29 CET (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description George 2019-03-15 14:20:40 CET
When using TOR proxy it would be good to have additional anonymity enhancing mechanism reducing the possibility of fingerprinting based on "typical connections" (e.g. connecting to the same mail servers, RSS feeds etc) through the same TOR identity.

A little research shows that this is possible. The user has to set a ControlPort and use HashedControlPassword or CookieAuthentication, then request a new identity like this:

https://stem.torproject.org/faq.html#how-do-i-request-a-new-identity-from-tor

I have tried the "telnet version" with a short bash script works fine (assuming localhost and ControlPort 9051):

#!/bin/bash
read -p "Tor controller password: " password

cat <<EOF | nc 127.0.0.1 9051
AUTHENTICATE "${password}"
SIGNAL NEWNYM
quit
EOF

Perhaps a more intelligent approach for implementing similar identity control functionality in CM would be to use the Stem API (https://stem.torproject.org/api/control.html). Then CM can use a new TOR identity/circuit for each separate connection (individual RSS feed, IMAP, POP, NNTP or other connection). Also it may be possible to use parallel TOR circuits (https://tor.stackexchange.com/q/12116) which would help not to impose a big compromise between speed and privacy.
Comment 1 Andrej Kacian 2019-03-15 22:10:02 CET
A pragmatic solution would be to add a "pre-connection" hook to be fired before an outgoing network connection is made, and have some Tor enthusiast write a plugin to use this hook to do whatever needs doing.
Comment 2 George 2019-03-16 00:29:20 CET
Perhaps if Claws can call such a pre-connection hook script, then even the short example I shared here will work (with some fine tunning, e.g. using a CookieAuthentication or hard coding the password).