GitHub - boredsquirrel/Thunderbird-hardening-automation: Automatically update secure settings for Thunderbird, configure them to your needs
github.com
Automatically update secure settings for Thunderbird, configure them to your needs - boredsquirrel/Thunderbird-hardening-automation

currently doing a fix of the code, wait for the 0.2 release!

Thunderbird is great, but very complex and possibly insecure and not private.

Threat model is an important key word here. Imagine you would write Mails over Tor/Tails only and need a secure Mail client.

(Btw I can recommend Carburetor Flatpak for that).

Because of this, the thunderbird hardening user.js, similar to the Arkenfox project exists.

But it is a bit too strict for most threat models. Also settings might change or break, and this has no automatic updating mechanism.

(I should upstream the updater)

The user.js is also just a template, so a ton of mostly not needed configs will stay there.

This project makes the setup of the hardening user.js easy.

Once setup, the script is placed in ~/.local/bin and a user systemd service runs it every once in a while.

You can comment out lines if you want to keep certain settings.

  • thingsiplay@beehaw.org
    1·
    25 days ago

    Hey, I’m not trying to convince you, just wanted to mention something more to think about. Sometimes fail-safeness is truly the better way. But is it in this case too? I mean if the script fails at once with a single sed command, then it means the file is not manipulated. If you have bunch of sed commands and one or two fails, then you have maybe 90% success commands and a few that did not work. That means the script edited the file in a state that was not intended to be. However, if it is a single command and fails all at once, at least the file is preserved as it is.

    I don’t know enough about this project to know whats important and appropriate in your case. I mean if its okay that commands “fail”, then keep it this way.

    • boredsquirrelOP
      2·
      24 days ago

      In this specific case it is not how this works.

      It modifies lines searching for unique strings. If the string is not found, then it was maybe removed.

      (The user.js handles removals normally by commenting things out, so I might actually use a single command).

      If something was not found then it doesnt need to be changed, everything fine.

      The result is a user.js from a good template, with all the settings applied that I knew. Maybe something new was added and that is unchanged.

      The alternative would be not updating the config at all, which means no response to Mozilla adding weird stuff to it.

      Firefox is a more moving target here.

      I will implement a persistent GUI error message if something failed.