Feature #7626: Investigate using Thunderbird & TorBirdy as the RSS reader

Feature #7626

Investigate using Thunderbird & TorBirdy as the RSS reader

Added by intrigeri 2014-07-20 15:15:17 . Updated 2018-07-22 01:51:31 .

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Target version:

Start date:

2016-05-05

Due date:

% Done:

100%

Feature Branch:

Type of work:

Security Audit

Blueprint:

Starter:

Affected tool:

Feed Reader

Deliverable for:

Description

This should be done against the questions raised in https://trac.torproject.org/projects/tor/wiki/torbirdy#IsitsafetosubscribetoRSSfeedswithThunderbirdandTorBirdy:

Is automatic fetching disabled?
Is HTML disabled?
Is JavaScript disabled?
Are proxy settings respected? (this is out of scope as far as Tails is concerned so not stricly required as part of this ticket)
Are there other anonymity implications?

Sukhbir said he started working on this already, and created https://trac.torproject.org/projects/tor/ticket/19031 to track this.
anonym answered he would have time to work on this any time soon.

Subtasks

Related issues

Related to Tails - ~~Feature #5663~~: Return to Icedove	Resolved	2013-10-16
Related to Tails - ~~Feature #7625~~: Persistence preset: RSS feeds	Duplicate	2014-07-20
Related to Tails - ~~Feature #11399~~: Audit Icedove and TorBirdy as feed reader in Tails	Duplicate	2016-05-05

History

#1 Updated by intrigeri 2014-07-20 15:15:51

related to ~~Feature #5663~~: Return to Icedove added

#2 Updated by BitingBird 2015-01-07 18:43:40

Affected tool set to Email Client

#3 Updated by sajolida 2016-02-08 17:55:38

I’m using it myself already. It works fine but I’m not volunteer for more than testing :)

#4 Updated by sajolida 2016-04-25 06:10:02

Parent task deleted (~~~~Feature #7625~~~~)

#5 Updated by sajolida 2016-04-25 06:10:20

Parent task set to ~~Bug #11082~~

#6 Updated by sajolida 2016-04-25 06:14:39

Type of work changed from Test to Discuss

What would it actually take to validate Icedove as the new recommended RSS feed reader? It works for me but do we want to:

Do some security audit? Liferea was becoming scarry because it allows JavaScript (~~Bug #9429~~). Does this apply to RSS feeds in Icedove with TorBirdy? Personally I see only plain text when checking my feeds in Icedove.
Look for other features that Liferea had and Icedove might be missing?
Could we find volunteers to do check this?

Marking this as a discussion for the next meeting so we agree on the requirements for removing Liferea from the ISO.

#7 Updated by intrigeri 2016-04-30 06:33:49

> * Do some security audit? Liferea was becoming scarry because it allows JavaScript (~~Bug #9429~~). Does this apply to RSS feeds in Icedove with TorBirdy? Personally I see only plain text when checking my feeds in Icedove.

One the one hand, if we deem it’s good enough for dealing with untrusted content coming from email, it can as handle it for content from RSS feeds. OTOH, IIRC TorBirdy disables HTML email support (and thus, scary things like JavaScript) by default; right? Does it do the same for RSS feeds? (“I see only plain text” suggests it does, but if would be nice if it was confirmed by looking at the code.)

> * Look for other features that Liferea had and Icedove might be missing?

I don’t think it’s worth it. To be perfectly blunt: I personally doubt that anyone actually uses Liferea in Tails.

#8 Updated by sajolida 2016-04-30 11:25:43

Type of work changed from Discuss to Security Audit
Starter deleted (No)

Sure, so what needs to be done is to check the handling of RSS in TorBirdy’s code. Changing the Type of Work accordingly.

Actually they have an FAQ marked as TODO about this: https://trac.torproject.org/projects/tor/wiki/torbirdy#IsitsafetosubscribetoRSSfeedswithThunderbirdandTorBirdy

So I sent a mail to Sukhbir to pick his brain about initial issues, pointers, etc.

#9 Updated by sajolida 2016-05-09 11:46:33

Affected tool changed from Email Client to Feed Reader

#10 Updated by Anonymous 2016-05-16 05:54:48

Sukhbir started to modify the TorBirdy code recently:

To disable checking of new articles on startup and after a fixed interval, add an overlay which disables both these settings after a new RSS account is created. This is similar to what we are doing with the manual email configuration wizard.
Disable HTML for RSS feeds

see https://github.com/ioerror/torbirdy/commits/master commits from may 11th and 12th 2016.

#11 Updated by intrigeri 2017-05-16 10:12:58

Assignee set to anonym
Target version set to Tails_3.0

We’re seeing issues in 3.0~betaN with Liferea, and we prefer spending our time moving to Thunderbird instead of debugging Liferea.

#12 Updated by anonym 2017-05-16 15:34:04

Target version changed from Tails_3.0 to Tails_3.2

#13 Updated by intrigeri 2017-06-29 10:34:05

blocks ~~Feature #13234~~: Core work 2017Q3: Foundations Team added

#14 Updated by Anonymous 2017-06-30 08:35:41

related to ~~Feature #7625~~: Persistence preset: RSS feeds added

#15 Updated by Anonymous 2017-06-30 08:38:49

Subject changed from Investigate using Icedove as the RSS reader to Investigate using Thunderbird & TorBirdy as the RSS reader
Description updated

#16 Updated by Anonymous 2017-06-30 08:40:25

related to ~~Feature #11399~~: Audit Icedove and TorBirdy as feed reader in Tails added

#17 Updated by intrigeri 2017-09-07 06:57:53

Target version changed from Tails_3.2 to Tails_3.5

#18 Updated by intrigeri 2017-09-07 06:58:08

blocked by deleted (~~~~Feature #13234~~: Core work 2017Q3: Foundations Team~~)

#19 Updated by Anonymous 2017-09-07 08:04:02

u wrote:
> Sukhbir started to modify the TorBirdy code recently:
>
> * To disable checking of new articles on startup and after a fixed interval, add an overlay which disables both these settings after a new RSS account is created. This is similar to what we are doing with the manual email configuration wizard.

This is currently working in Torbirdy from Stretch.

> * Disable HTML for RSS feeds

This works correctly too.

#20 Updated by Anonymous 2017-09-07 08:17:20

automatic fetching is disabled
html is disabled
here is what I can see in Apache logs:
```
  217.182.76.240 - - [07/Sep/2017:10:13:25 +0200] "GET /feed/ HTTP/1.1" 200 7659 "-" "-"
```
where the IP does not belong to me but to an Exit node in Poland (https://atlas.torproject.org/#details/D04E504062AAF76E5E353AF24DC5F30D9A19E7CD)
-> so proxy settings seem to be correct.
javascript is not enabled

Looks good!

The only downside I see is the UX for adding a feed which works but at first sight it’s hard to find what you need to do and where.

#21 Updated by intrigeri 2017-12-02 10:59:24

FWIW I’ve switched my personal RSS/Atom setup to Thunderbird (outside of Tails, on Debian sid) a couple days ago. I’ll be happy to share feedback about how it works for me if it helps, after I’ve used it for a month or three.

#22 Updated by sajolida 2017-12-05 12:42:05

I also switched the feed reader of my Debian to Thunderbird some weeks ago to take it back under control.
On my Tails I’ve been using Thunderbird exclusively for years.

#23 Updated by intrigeri 2017-12-07 12:51:04

Assignee deleted (~~anonym~~)
Target version deleted (~~Tails_3.5~~)

#24 Updated by intrigeri 2018-07-22 01:51:32

Status changed from Confirmed to Resolved

We’ve made a decision already, see ~~Bug #11082~~.