It has been noted that there are some quite important privacy leak in the
"X-Enigmail-Version:" header that contain usually very sensitive
information regarding the software version used.
The X-Enigmail-Version is reported for ALL email being sent by thunderbird, being them encrypted or un-encrypted.
In the NSA XKEYSCORE's ages, those kind of information does provide a very
The Adversary capable of massively monitoring communications, profiling who
encrypt their email communications, can profile the exact version of encryption
software used waiting for a vulnerability to be found.
When a vulnerability is found for the exact version of the encryption software
used, the adversary can exploit the "exposure window" by having a prior
knowledge of the end-point encryption software weakness.
This ticket is to improve Enigmail not to insert any kind of header to enable an adversary to profile and monitor the end-user's used software.
A discussion on this issue started on liberationtech mailing list on https://mailman.stanford.edu/pipermail/liberationtech/2013-November/012239.html with early identification by Tramaci of OnionMail http://onionmail.info/ .
This issue has been fixed by Tor Project version of Thuderbird,TorBirdy that's hardening the security of Enigmail https://trac.torproject.org/projects/tor/wiki/torbirdy .
Log in to post a comment.