Off Topic (Was Re: Emacs/Mutt and Efail or OpenPGP is safer than S/MIME?)

Off Topic (Was Re: Emacs/Mutt and Efail or OpenPGP is safer than S/MIME?)

[Tim Cross]

[-- Attachment #1: Type: text/plain, Size: 3538 bytes --]

On 21 May 2018 at 03:33, Uwe Brauer <oub@mat.ucm.es> wrote:

> >>> "Richard" == Richard Stallman <rms@gnu.org> writes:
>
> > Slightly off topic, there is software which warns you about tracked
> > emails or even tries to block them. However that blocking then causes
> > the tracking software to consider it as opened, although it was not
> > really opened :-D [1] and which really defeats the whole idea of
> > tracking, but this is another topic.
>
> If that occurs, the 'read reciepts' must be being handled by the server
and not the client. or the anti-tracking software is just rubbish. There
are essentially 4 techniques I've seen used to track when an email message
has been opened

1. Old style image - usually a small transparent png with a unique name.
Remote server tracks requests for the image. As each image URL has a unique
name, the system is able to map that to a specific message and from there
to the recipient. Easy to defeat and can generate lots of false positives
(for example, anti-virus software which opens messages and retrieves
embedded objects to check them for malicious content etc, messages that are
shraed/forwarded etc.

2. Embedded Javascript. Increasingly a problem, especially for browser
based email clients. Software like 'ghostery' can help reduce the threat,
but Javascript is becoming an increasingly more pervasive virus (still
frustrates me that Adobe PDFs support embedded Javascript!).

3. Mail Server Support. Some mail server, like Exchange, support a read
receipt extension. Most effective when all servers in the mail transport
are Exchange, but other servers are also starting to support such an
extension. Probably the hardest one to protect against because the
'tracking' occurs in server land and individuals lack control at this
level. Most do offer to turn this feature off on a per client basis, but
you have to trust the server honours that request. With exchange, the
server knows a lot about your activity due to the way Outlook and exchange
communicate. Even if you don't use outlook and just use imap/pop, the
server will likely mark a message as being opened once you download it
(pop) or open it (imap). About the only thing you can do is forward all
your message to a server which is not Exchange.

4. Timed/Limited message servers. There are a few email services which
offer the ability for the sender to delete their message after a specified
period of time. I don't think these services are very popular, but I have
received messages from such services (which I refuse to read). Essentially,
you don't actually receive the message - instead, you receive a link to a
message and you need to open the remote link in order to read the message.
The marketing hype with these services is that you can supposedly delete
the message you sent so that it no longer exists - complete rubbish of
course as anyone can copy and paste the message (or use some other more
sophisticated method to capture it). I hate this one because it plays on
people who don't understand technology and gives them a false sense of
control rather than reinforcing the reality that once you send/post
something, it is out there and you no longer have control over it - almost
as stupid as those pointless email footers threatening legal action if you
distribute a message sent to you.  I'm often tempted to put something like

"To all senders - I consider any message sent to me to be my property. I
will use, discard, share or publish the contents of such messages as I see
fit.




Tim

--
Tim Cross

[-- Attachment #2: Type: text/html, Size: 4315 bytes --]

Re: Off Topic (Was Re: Emacs/Mutt and Efail or OpenPGP is safer than S/MIME?)

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > 2. Embedded Javascript. Increasingly a problem, especially for browser
  > based email clients. Software like 'ghostery' can help reduce the threat,
  > but Javascript is becoming an increasingly more pervasive virus (still
  > frustrates me that Adobe PDFs support embedded Javascript!).

Free software for PDF should not run Javascript code, at least not
without an individual request that the user makes, after seeing a
warning that it is dangerous.

Would someone like to check that the free PDF-reading programs satisfy
this requisite?  It is not really about Emacs, but the only way it can be done
is if someone does it.


-- 
Dr Richard Stallman
President, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)

Re: Off Topic (Was Re: Emacs/Mutt and Efail or OpenPGP is safer than S/MIME?)

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > Essentially,
  > you don't actually receive the message - instead, you receive a link to a
  > message and you need to open the remote link in order to read the message.

I would guess that most of those servers also require nonfree JS code
in order to see the message.  For your freedom's sake, you should refuse
to run it.

What I do, when sent a message that way, is either (1) just ignore it
or (2) write back explaining I won't see the message that way.

-- 
Dr Richard Stallman
President, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)