Hardening K9 done already?

I’ve been recently reading a online privacy website explaining how many setting changes and tweaks (in the config editor) Thunderbird requires, in order to minimize tracking, exploits and similar privacy issues. Examples : stripping headers, TLS versions forbidden, etc.
Some will help minor leaks and tracking, but some do really seem very important. The reason for this is simple enough. Thunderbird wants to serve many use cases, so the config has to be different depending on where you are and what you are.

Now here is my two and a half questions:

  • is K9 already built with many privacy issues in mind ?
  • do K9 updates address new / additional privacy issues ?
  • does K9mail have the ability to make similar changes as the config editor in TB ?


is K9 already built with many privacy issues in mind ?

I’d say so. But there’s only so much you can do with email.
You’d have to ask more specific questions if you want better answers.

do K9 updates address new / additional privacy issues ?

Rarely. Those usually don’t come up very often.

does K9mail have the ability to make similar changes as the config editor in TB ?

There’s no separate config editor. All settings can be found in the settings screens.
See also Settings Overview - K-9 Mail

Really appreciate you took the time to answer. So let me give you a more specific example (-> Q1), even so I worry that I know the answer already:
one can set TB to only accept TLS v1.3 (and no earlier version) for any server connections, is this possible in K9 ?
I know there is no setting in the UI’s dialogs, but could it be that there is a similar setting hidden down in the config files ?

It depends on your Android version, not K-9:

There’s currently no option to configure that. K-9 Mail will use whatever the Android version supports but blocks SSL 3.0 and a couple of unsafe/outdated ciphers. See thunderbird-android/app/core/src/main/java/com/fsck/k9/helper/DefaultTrustedSocketFactory.java at cba9ca31aa6bdb8911a2787afc145c27cf366bec · thunderbird/thunderbird-android · GitHub

remember, K9 is not an open listener. it only communicates with the mail servers of your provider(s) as you have defined for your accounts. you can check the TLS levels it supports that are compatible with your device.

going back to your original question.

it could be useful if you gave a specific reference to what you were looking at so that other’s can look at the issues raised and consider them in the context of K9.

one of the issues with TB is that it’s really a mail client built on top of a web browser. that can open up issues if things aren’t designed and configured correctly.

with mail the main privacy issues generally stem from tracking bits embedded in remote images and certain types of urls.

many commercial senders use a “pixel” image, with embedded tracking information. if you load remote images these will be pulled from the sender’s server and they will do with the information as they will. the pixel image is most often used to determine if you have opened a message - but obviously you can open a message without loading images and they won’t know that you have opened it.

the other tracking bit is on urls. with a url something like:

http:// ... ?_r=d6b85331c7f64991b&_s=e7b5 ...

the information from the “?” on is almost always only tracking. clicking on the link (and so opening their site with a browser) will give the sender a range of information, based on the type of tracking detail they have coded. this will almost always include who you are - which they know because they sent you the message, but there are other tidbits that they will embed in that coding too. with some urls the embed tracking is done in less obvious ways.

with K9 you can long-press on a link and it will display in a popup and from there copy it to the clipboard where you can strip off the tracking. some urls are still useful with the tracking stripped, but increasingly they are built in a way so they aren’t. [it depends on the sender’s back-end tracking software.] i often find that for news types sites it’s simply easier and cleaner to go to their site and find the content directly.

I am basically “thinking” about anyone of the following settings in TB (which require attention in TB). It is clear that many do not apply to K9 because of the nature of K9 and the different nature of TB. The problem is, I cannot judge myself which ones do, and which ones do not matter in k9.

So here is “one” whole list of critical TB settings …
beacon.enabled false
browser.chrome.site_icons false
browser.chrome.favicons false
browser.display.use_document_fonts 0
browser.cache.disk.enable false
browser.cache.offline.enable false
browser.crashReports.unsubmittedCheck.autoSubmit2 false
browser.formfill.enable false
browser.region.update.enabled false
browser.search.update false
browser.search.suggest.enabled false
datareporting.policy.dataSubmissionEnabled false
datareporting.healthreport.uploadEnabled false
dom.security.https_only_mode true
dom.security.https_only_mode_send_http_background_request false
extensions.getAddons.cache.enabled false
extensions.ui.lastCategory addons://list/extension
javascript.options.baselinejit false
javascript.options.ion false
javascript.options.native_regexp false
mailnews.auto_config.fetchFromExchange.enabled false
mailnews.auto_config.fetchFromISP.sendEmailAddress false
mailnews.auto_config.fetchFromISP.sslOnly true
mailnews.auto_config.guess.sslOnly true
mailnews.display.html_as 1
mailnews.display.prefer_plaintext true
mailnews.headers.showSender true
mailnews.headers.showUserAgent true
mailnews.headers.sendUserAgent false
mailnews.start_page.enabled false
mail.identity.default.compose_html false
mail.inline_attachments false
mail.compose.big_attachments.notify false
mail.html_compose false
mail.openpgp.allow_external_gnupg true
mail.showCondensedAddresses false
mail.smtpserver.default.hello_argument []
media.peerconnection.enabled false
network.connectivity-service.enabled false
network.cookie.cookieBehavior 2
network.dns.disablePrefetch true
network.IDN_show_punycode true
network.http.sendRefererHeader 0
network.prefetch-next false
pdfjs.disabled true
pdfjs.enableScripting false
rss.display.disallow_mime_handlers 3
rss.display.html_as 1
rss.display.prefer_plaintext true
rss.show.content-base 1
security.family_safety.mode 0
security.cert_pinning.enforcement_level 2
security.mixed_content.upgrade_display_content true
security.mixed_content.block_object_subrequest true
security.OCSP.enabled 0
security.ssl.require_safe_negotiation true
security.ssl.treat_unsafe_negotiation_as_broken true
security.ssl3.ecdhe_ecdsa_aes_128_sha false
security.ssl3.ecdhe_ecdsa_aes_256_sha false
security.ssl3.ecdhe_rsa_aes_128_sha false
security.ssl3.ecdhe_rsa_aes_256_sha false
security.ssl3.rsa_aes_128_sha false
security.ssl3.rsa_aes_256_sha false
security.tls.enable_0rtt_data false
services.settings.server https://s.%.c.invalid/v1
browser.safebrowsing.phishing.enabled false
browser.safebrowsing.malware.enabled false
browser.safebrowsing.blockedURIs.enabled false
browser.safebrowsing.downloads.enabled false
browser.safebrowsing.downloads.remote.enabled false
browser.safebrowsing.downloads.remote.block_dangerous false
browser.safebrowsing.downloads.remote.block_dangerous_host false
browser.safebrowsing.downloads.remote.block_potentially_unwanted false
browser.safebrowsing.downloads.remote.block_uncommon false
browser.safebrowsing.downloads.remote.url https://s.%.c.invalid/…
extensions.blocklist.enabled false
mail.collect_email_address_outgoing false
security.tls.version.min 4

your list is what i expected. very few of the items are relevant to K9 (not to say that they aren’t to the browser that you have it open when you select a link from a message).

from a quick scan, only (some of) the “mail.” and “security.” items apply to any “mail-only” client - which includes K9. as i noted (two posts) above, even things like the “ssl” settings are of limited applicability.

in the case of the ssl settings, K9 is communicating with your mail provider’s servers that you have entered. if you could push the TLS requirement up higher than what those server support you simply won’t be able to retrieve/send mail. if you don’t like that they only support up to say, tls 1.2, you need to take that up with them, or change providers, changing K9 settings (if you could) would simply be counterproductive.

Most of the settings are addressed by Android Webview automatically. Whatever is not configured in the module setup is set to restrictive defaults which are regularly reviewed and updated by Google. Think of Webview as a very restrictive Blink implementation.

The cipher suites are handled by the corresponding package I alluded to in my previous post. TL;DR: It depends on the Android version.

So, if you are on current Android and your server supports TLS 1.3, you are already using TLS 1.3.

I do not entirely agree. Consider the following scenario which has happened to me frequently using Posteo servers. TLS 1.3 is their standard. But for reasons not known to me 1.3 is sometimes not available for hours or half a day. When I set TB to a minimum of 1.3 (value 4), my PC simply cannot connect to their server during these times. And that is exactly what I want. If I leave the “negotiation” to TB or K9 I do not even know what is happening behind the scenes.
Therefore setting a minimum version is NOT AT ALL counterproductive as nj-kill suggested.
And the same could happen with other servers/services or between TLS 1.2 and TLS 1.1
Without a controlled setting I do simply not know.

Happy New Year !!