Project

General

Profile

Feature #6158

Feature #5663: Return to Icedove

Feature #6148: Torbirdy in Debian

Feature #6154: Secure the Icedove autoconfig wizard

Fix secure Icedove autoconfig wizard in Tails

Added by Tails about 5 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
Due date:
% Done:

100%

QA Check:
Feature Branch:
feature/6154-secure-autoconfig-in-icedove
Type of work:
Code
Blueprint:
Starter:
No
Affected tool:
Email Client

Description

research why the account creation wizard fails on our custom packages built with this patchset (in feature/icedove), in Tails. Lack of MX query support, perhaps? Keeping in mind that the idea of securing that wizard is to stop trusting DNS, if #6070 is needed to fix this problem, then it's part of this deliverable.


Related issues

Related to Tails - Feature #6070: Support arbitrary DNS queries Confirmed
Related to Tails - Feature #6369: Build Debian packages of Icedove 38 with our patches / create proper branch situation Resolved 10/16/2013

Associated revisions

Revision 27467b06 (diff)
Added by anonym over 2 years ago

Enable the feature-6154-secure-autoconfig-in-icedove APT overlay.

Which contains icedove packages built with our patches for securing
the automatic account configuration wizard.

Will-fix: #6158

Revision 4fb93234 (diff)
Added by anonym over 2 years ago

Enable Icedove's automatic configuration wizard.

TorBirdy disables it due to both its use of insecure protocols for
various lookups, and that it can result in unsafe
configurations. However, with our patches applied, it can be
configured to only use secure protocols, so the wizard is safe again.

Will-fix: #6158

Revision 7976c458 (diff)
Added by anonym over 2 years ago

Configure the automatic configuration wizard to only use secure protocols.

Will-fix: #6158

History

#1 Updated by intrigeri about 5 years ago

  • Priority changed from Normal to High

#2 Updated by BitingBird about 4 years ago

  • Subject changed from fix secure Icedove autoconfig wizard in Tails to Fix secure Icedove autoconfig wizard in Tails
  • Starter set to No

#3 Updated by sajolida about 4 years ago

  • Priority changed from High to Normal

#4 Updated by intrigeri about 4 years ago

This might be a duplicate of #6157, actually.

#5 Updated by intrigeri about 4 years ago

  • Category set to 212

#6 Updated by BitingBird over 3 years ago

  • Related to Feature #6157: Fix re-test in secure Icedove autoconfig wizard added

#7 Updated by intrigeri over 3 years ago

  • Related to deleted (Feature #6157: Fix re-test in secure Icedove autoconfig wizard)

#8 Updated by intrigeri about 3 years ago

  • Assignee set to kytv
  • Target version set to 246

#10 Updated by intrigeri about 3 years ago

  • Description updated (diff)

#11 Updated by sajolida over 2 years ago

  • Target version changed from 246 to Tails_2.0

#12 Updated by u over 2 years ago

  • Target version changed from Tails_2.0 to Tails_2.2

#13 Updated by u over 2 years ago

  • Target version changed from Tails_2.2 to Tails_2.0

This should actually be done for the release of 2.0 (without the need to be merged into 2.0) so that we can have a working PoC for 2.2.

#14 Updated by intrigeri over 2 years ago

This should actually be done for the release of 2.0 (without the need to be merged into 2.0) so that we can have a working PoC for 2.2.

I guess you meant "so that we can have a working PoC for 2.0", since the goal is to have something good enough to ship in 2.2, while the PoC should be done during the 2.0 cycle.

#15 Updated by kytv over 2 years ago

Are packages (or git repositories) with the Secure Autoconfig Wizard available? As I see it (perhaps wrongly) that there's nothing for me to fix until vendor.name being set to Tails gives us the Secure Wizard.

I don't think I can do anything with this until that time...or am I sadly mistaken?

#16 Updated by u over 2 years ago

The patchset is now in icedove:secure_account_creation-38.0_b2-1. However, keep in mind that these are the patches applied directly to the upstream source. So if you make any modification, please tell me about it, so that I can apply this to the debian/patches I am currently working on.

#17 Updated by u over 2 years ago

  • Related to Feature #6369: Build Debian packages of Icedove 38 with our patches / create proper branch situation added

#18 Updated by kytv over 2 years ago

  • Target version changed from Tails_2.0 to Tails_2.2

#19 Updated by intrigeri over 2 years ago

  • Target version changed from Tails_2.2 to Tails_2.0

Same here, I think I've mislead you somewhat early today, when I asked you to update your Icedove tickets. Sorry about that!

According to the timeline proposed on https://mailman.boum.org/pipermail/tails-icedove/2015-December/000108.html, we want a working PoC of the wizard ready during the 2.0 release cycle, so I think this ticket needs to stay on the 2.0 board for now.

Another option, which is rather what I was implicitly suggesting, would be to make it explicit (by creating new tickets) that the PoC is for 2.0, and that the goal is to have it merged for 2.2.

#20 Updated by u over 2 years ago

  • Target version changed from Tails_2.0 to Tails_2.2

#21 Updated by u over 2 years ago

  • Target version changed from Tails_2.2 to Tails_2.3

#22 Updated by anonym over 2 years ago

  • Status changed from Confirmed to In Progress
  • Assignee changed from kytv to anonym
  • % Done changed from 0 to 30
  • Feature Branch set to feature/6154-secure-autoconfig-in-icedove

I've built packages with the patches applied and done some minimal integration work (mostly fighting with the strange way TorBirdy reads "seeded" prefs) and it actually seems to work. Out of the four methods we allow, I've verified that fetching the config from disk and guessing works. In the Onion Circuits view I could wee that the other two methods (fetch from the service provider, and Mozilla's database) were tried, so I guess they work as well.

#23 Updated by anonym over 2 years ago

  • Type of work changed from Research to Code

Tails wrote:

research why the account creation wizard fails on our custom packages built with this patchset (in feature/icedove), in Tails. Lack of MX query support, perhaps? Keeping in mind that the idea of securing that wizard is to stop trusting DNS, if #6070 is needed to fix this problem, then it's part of this deliverable.

It's unclear to me which parts of the automatic configuration the above refers to, but let's look at the different cases:

  • If it was only the guessing-part, then it is fixed since we added the patch that enables SOCKS support for it.
  • If it also referred to the service provider and Mozilla database lookups, then I have no clue, but they seemingly work now (see previous comment).
  • Regarding MX queries, our patches disables that.

I believe this concludes the research part of this, so => Code.

#24 Updated by anonym over 2 years ago

  • Target version changed from Tails_2.3 to Tails_2.4

#25 Updated by anonym about 2 years ago

  • Status changed from In Progress to Resolved
  • Assignee deleted (anonym)
  • % Done changed from 30 to 100

Also available in: Atom PDF