From: Stefan Kangas <stefankangas@gmail.com>
To: Eli Zaretskii <eliz@gnu.org>
Cc: rms@gnu.org, philipk@posteo.net, akib@disroot.org,
emacs-devel@gnu.org, Stefan Monnier <monnier@iro.umontreal.ca>
Subject: Never send user email address in HTTP requests
Date: Sun, 17 Dec 2023 04:02:09 -0800 [thread overview]
Message-ID: <CADwFkmn8t4UTFcw=f0LMXYD1Os+fRY0yGf5-QBOJ6j6PJbYSsg@mail.gmail.com> (raw)
In-Reply-To: <83v88xjipo.fsf@gnu.org>
Eli Zaretskii <eliz@gnu.org> writes:
> It looks like a changeset was installed on master which changes how
> URL behaves in this matter, see commit 346e571230. I'm worried that
> this is a backward-incompatible change which doesn't seem to have any
> way for users to get back old behavior. I think we should provide
> such a way, and I think this change should be called out in the
> "Incompatible changes" section of NEWS.
Thanks, I moved it to "Incompatible changes".
The TL;DR here is that I think the issue fixed in 346e571230 is a
serious issue, and that we should not provide a way to get back to the
old behavior.
The other issues we discussed in this thread had to do with
fingerprinting, which is also a real concern. However, more steps are
required for someone to figure out your real identity.
The basic problem is that a mere misconfiguration of `url-privacy-level'
will lead a user's privacy to be fully compromised.
For example, a typo like:
(setq url-privacy-level '(eemail))
will make Emacs announce your email (that you customized separately, for
Gnus or Notmuch) to the remote server in every HTTP request.
In fact, it's enough to customize that setting to anything that is not
`high', `paranoid', or a list containing the symbol `email'.
You best not assume you can set it to `medium', or anything like that,
because trying that will be _silently_accepted_ and then: your email
will be revealed. That's a pretty huge gotcha, and certainly not the
way to design a security feature.
But it gets even worse: url.el used to do these acrobatics to make sure
that there is indeed something privacy breaking in there:
(or url-personal-mail-address
user-mail-address
(format "%s@%s" (user-real-login-name)
(system-name)))
AFAIK, no other browser out there provide this misfeature. It seems
like something from the happy 1990's that has completely outlived any
usefulness, assuming that it was at all useful even to begin with.
Providing a way to get back to the old behaviour is just re-introducing
a bad, bad footgun. Keeping it around puts users at risk. So I think
we shouldn't do that.
next prev parent reply other threads:[~2023-12-17 12:02 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-16 2:04 Making package.el talk over Tor Richard Stallman
2023-10-16 6:54 ` Akib Azmain Turja
2023-10-16 7:10 ` Emanuel Berg
2023-10-18 1:42 ` Richard Stallman
2023-11-17 3:53 ` Richard Stallman
2023-11-17 7:03 ` Philip Kaludercic
2023-11-19 3:39 ` Richard Stallman
2023-11-19 6:17 ` Eli Zaretskii
2023-12-09 4:06 ` Richard Stallman
2023-12-09 7:40 ` Eli Zaretskii
2023-12-13 4:58 ` Richard Stallman
2023-12-14 12:25 ` Philip Kaludercic
2023-12-17 3:21 ` Richard Stallman
2023-12-18 4:12 ` Richard Stallman
2023-12-18 8:05 ` Tomas Hlavaty
2023-12-18 8:10 ` Tomas Hlavaty
2023-12-21 4:20 ` Richard Stallman
2023-12-21 9:52 ` Philip Kaludercic
2023-12-21 9:55 ` Philip Kaludercic
2023-12-21 19:15 ` Tomas Hlavaty
2023-12-24 3:57 ` Richard Stallman
2023-12-24 13:36 ` Tomas Hlavaty
2023-12-24 15:19 ` Philip Kaludercic
2023-12-24 20:37 ` Tomas Hlavaty
2023-12-14 12:41 ` Philip Kaludercic
2023-12-14 12:54 ` Emanuel Berg
2023-12-14 13:06 ` Emanuel Berg
2023-12-17 3:21 ` Richard Stallman
2023-12-17 8:23 ` Stefan Kangas
2023-12-17 9:12 ` Eli Zaretskii
2023-12-17 12:02 ` Stefan Kangas [this message]
2023-12-17 12:34 ` Never send user email address in HTTP requests Eli Zaretskii
2023-12-17 14:05 ` Yuri Khan
2023-12-17 14:44 ` Eli Zaretskii
2023-12-17 17:30 ` T.V Raman
2023-12-19 3:51 ` Richard Stallman
2023-12-19 3:53 ` Making package.el talk over Tor Richard Stallman
2023-12-17 11:51 ` Philip Kaludercic
2023-12-17 14:10 ` Yuri Khan
2023-12-19 3:51 ` Richard Stallman
2023-12-19 3:52 ` Richard Stallman
2023-12-19 3:52 ` Richard Stallman
2023-11-18 3:03 ` Richard Stallman
2023-11-18 7:21 ` Eli Zaretskii
2023-11-21 2:39 ` Richard Stallman
2023-10-16 7:12 ` Stefan Kangas
2023-10-16 9:15 ` Philip Kaludercic
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CADwFkmn8t4UTFcw=f0LMXYD1Os+fRY0yGf5-QBOJ6j6PJbYSsg@mail.gmail.com' \
--to=stefankangas@gmail.com \
--cc=akib@disroot.org \
--cc=eliz@gnu.org \
--cc=emacs-devel@gnu.org \
--cc=monnier@iro.umontreal.ca \
--cc=philipk@posteo.net \
--cc=rms@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).