Protecting the contents of the profile - mail

From MozillaZine Knowledge Base
Jump to navigationJump to search
This article was written for Thunderbird but also applies to Mozilla Suite / SeaMonkey (though some menu sequences may differ).

All of your messages are normally stored in text files within your profile folder. Somebody else could read them using Thunderbird or by viewing the appropiate file with a text editor. If you want to prevent this the first thing you need to do is decide how much effort to protect your messages is appropiate. The easiest option is to password-protect the profile with an extension, but this is trivial to bypass.

Several methods to consider:

Weak methods

  • The ProfilePassword extension requires a user to enter a password in order to use the profile. It is trivial to bypass by running in safe mode (to disable the extension) or by using a text editor such as Notepad to read the text files that Thunderbird stores the messages in. This method may be sufficient if other people accessing the same computer are not technical or if they are unlikely to deliberately snoop.
  • The DiddlyDo extension password protects one or more folders, rather than the entire profile. The web page implies it only supports 1.0 or earlier but its known to work with 1.5.0.7. This thread describes how to configure it. It can be bypassed just like the other extension.
  • The master password is meant to protect your stored passwords, not your profile. If you configure one it will prompt the user for a master password when they run Thunderbird. However, if you press the X control or the cancel button three times its replaced by a prompt for the accounts password , which you can cancel. This method is not recommended, but some users might find it sufficient for casual snoopers.
  • If you have multiple users on a machine create a separate Windows user account for each person, and then use the Thunderbird Profile Manager to create each person's profile somewhere other than the default location. This makes it harder to accidentally stumble across each other's profiles.

Medium methods

  • Use operating system commands to restrict access to the files. For example, if you store your profile on a NTFS partition under Windows 2000 or XP you can right-click on the folder in Windows Explorer, select Properties, the Security tab, and then specify who has access to that folder. That can be bypassed by somebody else with admin privileges, or by booting another operating system using a live CD such as Knoppix. In a business environment an admin might consider using group or system policy settings to restrict access or store it in a password-protected file share on a file server.
  • Use an IMAP account. By default, IMAP stores messages on remote folders which you can access as if they're local folders. This doesn't protect your address book or other files in your profile, but it does simplify things since it does not download the message body to your hard disk, even when you're reading it. Somebody could still use any passwords you stored in the Password Manager unless you set a master password.

    Note: You can password protect the contents of the message pane by setting mail.password_protect_local_cache to true using the configuration editor. However that seems redundant if you don't use the password manager, and if you use the password manager that supplies the password.

Strong methods

  • Store the profile on a password-protected encrypted disk partition. You want to use a encrypted disk partition to avoid being prompted to encrypt and decrypt each file. If the profile already exists, move it per these instructions.
    TrueCrypt is most frequently recommended. Its available for both Windows and Linux, and has a installation wizard. The free version of pgpdisk or Axcrypt works with most versions of Windows. OSX includes FileVault. If you're running Linux there are many ways to encrypt a partition such as pppd - Practical Privacy Disc Driver.
  • You can combine methods, such as creating a TrueCrypt volume on a USB drive per these instructions.


If you're fanatical about privacy:

  • Think about where your temporary files are stored. Thunderbird creates two temporary files when sending a message. Opening an attachment will also typically create a temporary file. Under Windows you can set the TMP and TEMP environmental variables to point to where temporary files should be created. You might set it to a small RAM disk or a directory in an existing password-protected encrypted disk partition.
  • If you delete a message stored in your POP account or Local Folders directory the original message is still in that folder (just hidden from view and marked for deletion). When you compact a folder it physically deletes the "deleted" messages. It creates a temporary "nstmp" file and then deletes it when it does this. You'd need to use a secure data removal tool to prevent somebody from using a disk editor to read the sectors used to store those messages. However, if you stored the profile on a password-protected encrypted disk partition the messages in the freed sectors should still be encrypted, not clear text.
  • A IMAP account stores the headers for each folder in mail summary files on the hard disk. The *.msf files contain the subject and the email addresses for each message. One way to automaticly remove those files would be to modify the Thunderbird shortcut to launch a batch file, and have it cleanup when you exit Thunderbird. The first line would launch Thunderbird. The second line could contain something like del accounts_pathname\*.msf /S to delete all of the *.msf files in the IMAP account directory in the profile. Doing this will force Thunderbird to fetch the headers for any remote folder you open (such as the inbox folder) the next time you run it.

See also

External links