TorBirdy Tutorial | Email Over Tor
Category: messagingA 4 Minute Read
14 Jan 2014
This may be the fourty-seventh time that I've said it, but email is easily one of the most important components of our online lives. The problem with this is that email is a terrible, terrible service when it comes to privacy. One of these problems is in the way it handles your IP. For example, whenever you go to check your email, your email provider knows the IP address that you check it from. And even more importantly, whenever you send an email your IP address is imprinted within the header of the message, meaning that whoever receives an email from you knows your IP address. Some services strip the IP address from the header, but not all. TorBirdy is a tool which lets you circumvent this problem, and greatly increases your anonymity when it comes to using email. Hell, even if your email service does strip IP addresses, it's still a useful tool!
What Is TorBirdy?
TorBirdy is a Mozilla Thunderbird add-on (meaning it also works for IceDove) which makes a few security optimizations to Thunderbird, and reroutes your mail through the Tor network. Routing your mail through Tor means that your emails will be bounced around three different computers across the globe before finally being sent to your email service. What this accomplishes is anonymity, meaning that your email provider, and the recipient of the email, will see your IP address as being from a random location on some part of the Earth instead of coming from your actual location. The obvious use of this is that if you set up an email account over Tor, and check it using TorBirdy, then there is no way to relate it back to you other than by reading the contents of the emails themselves (so obviously don't send emails to, or receive emails from, anyone that correlates the hidden Tor identity to your real one).
Of course, this doesn't make your email detached from your identity if you've used the account without Tor before. If you sent an email and the police were to investigate it, they'd see the account it came from and could look up the contents of other emails and the IP history. Therefore they could most likely figure out the identity of the sender. But this still doesn't negate the benefits that TorBirdy provides. One of the examples that the TorBirdy website gives is of someone who frequently travels and does not want to disclose the location of everywhere they go. While this example is good, it may not be applicable those of us who don't travel often. So I would think of it this way: TorBirdy is good for anyone that checks their email from multiple locations. For example, if you check your email at home in the morning, then check it at Starbucks on the way to work, then check it at work, and then at home again, this paints a very clear picture of where you went throughout the day. What TorBirdy does is obfuscates this so that if someone were to look into where you used your email from they wouldn't gain any useful or descriptive information other than the time it was checked at. While some may say this is just a small amount of metadata, it is small steps such as these these that go towards making it more difficult for companies or governments to assemble profiles of our lives.
So TorBirdy Hides My IP? What Else?
TorBirdy makes a few other optimizations to Thunderbird's security by resetting some of your preferences. Firstly, TorBirdy will disable both the sending as well as the receiving of HTML email. This is because HTML poses some security risks and can compromise your identity. Therefore, all emails will be in plaintext. Also, TorBirdy will set the time of your emails to be in UTC(+0000) instead of your local time zone to prevent your region from being revealed. Lastly, TorBirdy will prohibit Thunderbird from fetching emails automatically. Instead, to receive emails you will have to manually do so by clicking the "Get Mail" button. The reason for this is that when you start up Thunderbird, it automatically logs into your last used mail account. Therefore, to give more control to the user in what they reveal, TorBirdy disables this. It is important to note that TorBirdy does not recommend changing any of these settings unless you are an advanced user, as some settings will have a ripple effect which may compromise your identity and render TorBirdy useless.
Alright, What's the Catch?
The Catch? Well, TorBirdy requires Tor to be running. This could happen by either installing Tor onto your system, or just by downloading and running the Tor Browser Bundle, which is a fantastic tool that you are probably already running if you're reading this. The second catch is that TorBirdy limits which add-ons you can install (again, this comes down to some add-ons breaking your anonymity). TorBirdy claims that Enigmail and Lightning are safe to run, but others pose a risk.
In the end, email is a terribly broken system that needs replacement. Nevertheless, it seems like it's going to be here for a while. So grab whatever privacy you can. Go install TorBirdy, and take back your metadata.