I’ve been recently reading a online privacy website explaining how many setting changes and tweaks (in the config editor) Thunderbird requires, in order to minimize tracking, exploits and similar privacy issues. Examples : stripping headers, TLS versions forbidden, etc.
Some will help minor leaks and tracking, but some do really seem very important. The reason for this is simple enough. Thunderbird wants to serve many use cases, so the config has to be different depending on where you are and what you are.
Now here is my two and a half questions:
is K9 already built with many privacy issues in mind ?
do K9 updates address new / additional privacy issues ?
does K9mail have the ability to make similar changes as the config editor in TB ?
Really appreciate you took the time to answer. So let me give you a more specific example (-> Q1), even so I worry that I know the answer already:
one can set TB to only accept TLS v1.3 (and no earlier version) for any server connections, is this possible in K9 ?
I know there is no setting in the UI’s dialogs, but could it be that there is a similar setting hidden down in the config files ?
remember, K9 is not an open listener. it only communicates with the mail servers of your provider(s) as you have defined for your accounts. you can check the TLS levels it supports that are compatible with your device.
it could be useful if you gave a specific reference to what you were looking at so that other’s can look at the issues raised and consider them in the context of K9.
one of the issues with TB is that it’s really a mail client built on top of a web browser. that can open up issues if things aren’t designed and configured correctly.
with mail the main privacy issues generally stem from tracking bits embedded in remote images and certain types of urls.
many commercial senders use a “pixel” image, with embedded tracking information. if you load remote images these will be pulled from the sender’s server and they will do with the information as they will. the pixel image is most often used to determine if you have opened a message - but obviously you can open a message without loading images and they won’t know that you have opened it.
the other tracking bit is on urls. with a url something like:
http:// ... ?_r=d6b85331c7f64991b&_s=e7b5 ...
the information from the “?” on is almost always only tracking. clicking on the link (and so opening their site with a browser) will give the sender a range of information, based on the type of tracking detail they have coded. this will almost always include who you are - which they know because they sent you the message, but there are other tidbits that they will embed in that coding too. with some urls the embed tracking is done in less obvious ways.
with K9 you can long-press on a link and it will display in a popup and from there copy it to the clipboard where you can strip off the tracking. some urls are still useful with the tracking stripped, but increasingly they are built in a way so they aren’t. [it depends on the sender’s back-end tracking software.] i often find that for news types sites it’s simply easier and cleaner to go to their site and find the content directly.
I am basically “thinking” about anyone of the following settings in TB (which require attention in TB). It is clear that many do not apply to K9 because of the nature of K9 and the different nature of TB. The problem is, I cannot judge myself which ones do, and which ones do not matter in k9.
your list is what i expected. very few of the items are relevant to K9 (not to say that they aren’t to the browser that you have it open when you select a link from a message).
from a quick scan, only (some of) the “mail.” and “security.” items apply to any “mail-only” client - which includes K9. as i noted (two posts) above, even things like the “ssl” settings are of limited applicability.
in the case of the ssl settings, K9 is communicating with your mail provider’s servers that you have entered. if you could push the TLS requirement up higher than what those server support you simply won’t be able to retrieve/send mail. if you don’t like that they only support up to say, tls 1.2, you need to take that up with them, or change providers, changing K9 settings (if you could) would simply be counterproductive.
Most of the settings are addressed by Android Webview automatically. Whatever is not configured in the module setup is set to restrictive defaults which are regularly reviewed and updated by Google. Think of Webview as a very restrictive Blink implementation.
The cipher suites are handled by the corresponding package I alluded to in my previous post. TL;DR: It depends on the Android version.
So, if you are on current Android and your server supports TLS 1.3, you are already using TLS 1.3.
I do not entirely agree. Consider the following scenario which has happened to me frequently using Posteo servers. TLS 1.3 is their standard. But for reasons not known to me 1.3 is sometimes not available for hours or half a day. When I set TB to a minimum of 1.3 (value 4), my PC simply cannot connect to their server during these times. And that is exactly what I want. If I leave the “negotiation” to TB or K9 I do not even know what is happening behind the scenes.
Therefore setting a minimum version is NOT AT ALL counterproductive as nj-kill suggested.
And the same could happen with other servers/services or between TLS 1.2 and TLS 1.1
Without a controlled setting I do simply not know.