# Setting Up Torbirdy

In This Earlier Posting, I wrote that I was setting up an old, garbage-grade laptop, to connect entirely through Tor. And one of my motivations has to do with the TAILS USB-stick, in that I am trying to establish that this USB-stick cannot really be of such immense benefit to whoever is using it, as is claimed, and that therefore, Edward Snowden cannot also have gotten much use out of TAILS.

Further, I think we can see that in recent years, the way in which PCs react to inserted, ‘Live USB-sticks’ has also changed, so that our chances of finding a host machine which will boot from such a pen-drive, but without the consent or knowledge of its owner, are also quite slim. An actual laptop bypasses that problem.

What I think I found, was that most of the services which we could connect to – including IRC Servers – detect that we are connecting to them from a remote IP address that belongs to a Tor gateway – a so-called “Exit-Node” – and if we are authenticated, bans the user, or otherwise just blocks the user.

What I had written though, was that in addition to being able to use the Web-browser, I wanted my own laptop to be able to perform one additional task. And so I had found that a mailbox service exists called mailbox.org , and that it runs its own Tor Exit-Node internally, for which reason we could send and receive email with them, once we have set up and paid for an account.

What I discovered, is that this not only works in theory, but actually does in practice. We need to install an ‘Icedove / Thunderbird’ extension named “Torbirdy” to get that to work, but it does finally work.

I do know that there exists a Debian package ‘xul-ext-torbirdy’, as of Jessie, which some people might see as the more-secure way to install Torbirdy. But I had two problems with this:

• My laptop is based on Debian / Wheezy, which did not have this package yet,
• These package-installed XUL extensions are often not up-to-date, for full compatibility with the package-installed, Firefox or Icedove versions. The only exception I positively know of, is ‘Enigmail’.

At some point in the past, I needed to uninstall all the ‘xul-ext-…’ -extensions, and reinstall their up-to-date versions in user-space.

There is a practical note to getting Torbirdy to work however, which I needed to resolve. The local machine could have Tor configured in different ways, and this Icedove extension assumes just one arbitrary Tor-daemon configuration to connect to. We need to configure the extension itself, to tell it which port number our Tor-daemon is listening on, if not which IP address, before Torbirdy will connect.

But once I overcame that hurdle, I was able to connect. I happen to be using the Hidden Tor Service URL of mailbox.org , instead of the open IMAP Server URL, because with the Hidden Tor Service, I am more likely to get to the IMAP Server, using the correct, assigned Exit-Node. One problem which plagues Tor, is Man-In-The-Middle Attacks, which have in fact been run by dishonest Exit-Nodes.

Also, it is possible to set a computer-wide HTTP Proxy. The ‘http://’ URL-Form is not only used for Web-browsers and sites, but also for a plethora of services that provide data in response to REST Requests, etc.. And so there are ultimately more services which we could connect to, if we tried hard enough.

I also derived a little script, which can be used once the laptop is set up, to block all non-Tor data-output completely. This version of the script has an option, which will deliberately allow for some DNS leaks if uncommented.


#!/bin/bash

# Let's save typing and confusion with variables
IPTABLES=/sbin/iptables
DNSSERVER=cat /etc/resolv.conf | grep nameserver | awk -F ' ' '{print $2}'$IPTABLES -F OUTPUT

$IPTABLES -P OUTPUT DROP$IPTABLES -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor
$IPTABLES -A OUTPUT -j ACCEPT -o lo$IPTABLES -A OUTPUT -j ACCEPT -p udp -d 192.168.2.0/24
$IPTABLES -A OUTPUT -j ACCEPT -p tcp -d 192.168.2.0/24 # if [ -n "$DNSSERVER" ] ; then
#     $IPTABLES -A OUTPUT -j ACCEPT -d${DNSSERVER}/32
# fi

# \$IPTABLES -L -v




The following line can be added to ‘/etc/tor/torrc':


DNSPort 53



which will cause Tor to act as the DNS-server remotely, not from the visibility of the local machine. Then, we can designate ‘127.0.0.1’ to be our DNS-server, to which end we can also give the command


chattr +i /etc/resolv.conf



To prevent our DNS-server assignment from being overwritten. Obviously, these two configuration options are mutually exclusive.

Dirk

(Edit 12/25/2016 : ) One peculiarity that Icedove will exhibit, once we have installed Torbirdy, is that certain behaviors of the client application are altered, in ways that are deemed ‘safer’ in a potentially-hostile data-environment, from how we normally expect email-clients to be set up.

One of the numerous altered behaviors, is that once we have started the email client, it will no longer go directly to the Inbox of our default email account, when that is the mailbox.org account. I made lengthy efforts to change this behavior in the GUI, and observed with each restart of the application, that my changes were ignored. In fact, if mailbox.org is as well-managed as I imagine they are, some of their data-specialists might be scratching their heads, as to why this one registered user is connecting so many times in a row, and doing so repeatedly via Tor, and not sending or receiving any emails.

This one problem can be solved, by going into ‘Edit -> Preferences -> Advanced -> Config Editor’ , and Searching specifically for torbirdy settings. There is one which needs to be set to True, if we want Icedove to go directly to our Inbox when started.

Under Windows, this settings window can be found under ‘Tools -> Options -> Advanced -> Config Editor’ .

There is another changed behavior which is truly ‘safer’, which is to prefer that a message be displayed at first in plaintext, even if an HTML version is available. This is a setting which belongs to Icedove, and if we do change it, during the next restart of the application, Torbirdy will just change it back again.

Normally, we change this from the GUI, from the ‘View Menu’, as we like, thus affecting the same settings in the Config Editor. If there is an HTML version available, we can still choose to view it once. Only, what we expect from Icedove, is that any changes we make to this setting will be remembered. Now they will not.