I wonder how I can be surprised to learn that #Mozilla's #Thunderbird collect telemetry infos (including your mail domain) and share them with partners such as #Amazon.
It's obvious they spy on your mails! 🤦♂️
Indeed, in case of crash, they even send to "their" #AWS servers a memory dump that contains sensitive data crash reports.
This likely include, your emails in clear, your private encryption keys¹ and everything else the program has loaded and kept in memory.
What does this means for an hypothetical attacker that can access such reports?
I mean... like a #USA agency arguing that you might be a terrorist or something.
Oh but sure... they shall do no evil...
https://www.mozilla.org/en-US/privacy/thunderbird/
#Privacy #Freedom #hypocrisy #Security #infosec
_____
1) Since version 68, Thunderbird does not use the #GPG suite via #Enigmail, but directly do encryption "to avoid licensing issues" 🤷♂️
@rysiek@mastodon.technology @mala
No, indeed I surprised myself by being surprised by #Mozilla's bad faith.
I mean: ok, #Firefox is a surveillance tool marketed as a privacy friendly browser, but it's a "just" a browser.
But I was STILL thinking that good old #Thunderbird (that I do not use since decades but still suggested to others) was safe!
It's not.
#Telemetry is not just on by default and all data are received by #Mozilla through #AWS servers.
I really think such kind of defaults should be forbidden by law. And in fact they are forbidden by #GDPR as all data collection must be opt-in not opt-out.
Curiously, crash reports are disabled by default (as far as I can read online) so at least people are less likely to send them cryptographic keys in clear in a memory dump.
But the fun fact is that if you enable crash reports in the hope to let them improve a privacy friendly MUA, you sacrify your security (and your peer's security, exposing them to social engineering) to improve a surveillance software.
Indeed Thurderbird is sending back your interactions activities, so the fact that mails sent without #E2EE can be intercepted, is totally irrelevant.
@rysiek@mastodon.technology @mala
@rysiek@mastodon.technology @mala
*about:profiles
And it is in pref.js of the profiles folder. about:config allows access in the browser, but that is manual.
@Shamar
Debian seems to have them off in the pref.js file. Which indicates they put in some effort to keep telemetry junk out of the binary apt version. But doing "apt source" should give a version that you can compile on your own.
In the #Thunderbird #privacy notice that nobody is expected to read: https://www.mozilla.org/en-US/privacy/thunderbird/
```
Thunderbird May Disclose Information To:
Amazon Web Services: Thunderbird uses Amazon Web Services (AWS) to host its servers and as a content delivery network. Your device’s IP address is collected as part of AWS’s server logs.
```
I assume they receive and manage the crash reports on "their" servers that accidentally are owned by #Amazon.
@rysiek@mastodon.technology
@Shamar @rysiek here you go, here's more info: https://socorro.readthedocs.io/en/latest/overview.html
@Shamar @rysiek@mastodon.technology @mala A couple points... 1) When you actually read their policy it's not all that shocking. I would agree it's annoying that telemetry is on by default but you can opt out if you like. 2) Literally any communication that isn't end-to-end encrypted can be intercepted by any third party, not just the company that made your email client