From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Kangas Newsgroups: gmane.emacs.devel Subject: Never send user email address in HTTP requests Date: Sun, 17 Dec 2023 04:02:09 -0800 Message-ID: References: <8734ybkqf4.fsf@disroot.org> <87sf54q2t8.fsf@posteo.net> <87o7etlzx7.fsf@posteo.net> <83v88xjipo.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="3676"; mail-complaints-to="usenet@ciao.gmane.io" Cc: rms@gnu.org, philipk@posteo.net, akib@disroot.org, emacs-devel@gnu.org, Stefan Monnier To: Eli Zaretskii Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sun Dec 17 13:02:54 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1rEprB-0000jr-3g for ged-emacs-devel@m.gmane-mx.org; Sun, 17 Dec 2023 13:02:53 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rEpqb-0008AL-GO; Sun, 17 Dec 2023 07:02:17 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rEpqZ-0008A6-Ga for emacs-devel@gnu.org; Sun, 17 Dec 2023 07:02:15 -0500 Original-Received: from mail-ed1-x531.google.com ([2a00:1450:4864:20::531]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rEpqX-0003xn-Qr; Sun, 17 Dec 2023 07:02:15 -0500 Original-Received: by mail-ed1-x531.google.com with SMTP id 4fb4d7f45d1cf-551437d5344so2581671a12.1; Sun, 17 Dec 2023 04:02:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702814531; x=1703419331; darn=gnu.org; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=vDCzu2fPK5qQh5bJZtDZrbI0NXSNXe4R+eBPsJOjtyo=; b=g9y1G5E+whOz44QQBUy7z/6I4t/gqN0k8Mxda8Ngvxjd2UjRUqM2EGY3ckpSI4/QkV 6j2Rsf74wPdYcChw70Y5KyxBOFnFQrTVRI2+FcJFy8eOduqFIV4MsacP39bTCPXyVthy lea4B/yu4XsuBbfioRyBxkNnFhueMI0hmFbP11qFJzz8PsEsO4cQMbI21yx5SUCd0KoB K2n6A2Hlv9l/i2g9kaTp4nw31luUrjcuER0LQOze4zQJIOa5hCVHDO1cZJcZAgSccQEn wwRqsXH62c7qdLnlQsNhtPj2La73yt4raAW+fRpH2cnObRaTzlOQcG54q4zNG0BSC/BK kC4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702814531; x=1703419331; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=vDCzu2fPK5qQh5bJZtDZrbI0NXSNXe4R+eBPsJOjtyo=; b=CGoQsZvqIHRJPn+UPN/qjiIpUiasQtMy456w6G0qtiwKgEmkvCcl0rXmfQ8T7XSCYF uJAE8s4RtO8iVVZiDIJcr4L4SgQaS1vUibUd2MBqC1GPzUBGRLHp7U5qNCrQhiQYHS1L IDK9kJzygbu5b3zYUj2lI+fzUrPhcRqPXwi/wFoy39mqp1oV8QfH8bGVveXOcLozfLU2 gwnR2Vs6Ic50s5L/PowEbjl4TnW2xvDoFENpVFAzWa+fisyrXqPPHg2Vd2+rwDXldNwC /R94zEaJMB1jmWujg7W26UGLkjY3H3EN0T8PszNf3SGDpVe8WKGCIFwrol5ZkB2k7p10 RSVw== X-Gm-Message-State: AOJu0YzULPUD37N3mcrkXYmw2K2sL8Yb7CBVr3t0g11dYsTdRi/cTUni /2GI4GW5EVVOkDxa5TDq2dFSzpTadpuEurcFUtSaFEqJrUDUeg== X-Google-Smtp-Source: AGHT+IFXEWUbLS+oVJD55iA4C0sc5RFpmIutqDl1MMyE4s6G9VPXGZsv/nSzsWe5ZifHRRbDJ/JpHN0mxt5oIKaURtM= X-Received: by 2002:a50:9f28:0:b0:553:3f7f:f2cc with SMTP id b37-20020a509f28000000b005533f7ff2ccmr231535edf.9.1702814530678; Sun, 17 Dec 2023 04:02:10 -0800 (PST) Original-Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Sun, 17 Dec 2023 04:02:09 -0800 In-Reply-To: <83v88xjipo.fsf@gnu.org> Received-SPF: pass client-ip=2a00:1450:4864:20::531; envelope-from=stefankangas@gmail.com; helo=mail-ed1-x531.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:313918 Archived-At: Eli Zaretskii writes: > It looks like a changeset was installed on master which changes how > URL behaves in this matter, see commit 346e571230. I'm worried that > this is a backward-incompatible change which doesn't seem to have any > way for users to get back old behavior. I think we should provide > such a way, and I think this change should be called out in the > "Incompatible changes" section of NEWS. Thanks, I moved it to "Incompatible changes". The TL;DR here is that I think the issue fixed in 346e571230 is a serious issue, and that we should not provide a way to get back to the old behavior. The other issues we discussed in this thread had to do with fingerprinting, which is also a real concern. However, more steps are required for someone to figure out your real identity. The basic problem is that a mere misconfiguration of `url-privacy-level' will lead a user's privacy to be fully compromised. For example, a typo like: (setq url-privacy-level '(eemail)) will make Emacs announce your email (that you customized separately, for Gnus or Notmuch) to the remote server in every HTTP request. In fact, it's enough to customize that setting to anything that is not `high', `paranoid', or a list containing the symbol `email'. You best not assume you can set it to `medium', or anything like that, because trying that will be _silently_accepted_ and then: your email will be revealed. That's a pretty huge gotcha, and certainly not the way to design a security feature. But it gets even worse: url.el used to do these acrobatics to make sure that there is indeed something privacy breaking in there: (or url-personal-mail-address user-mail-address (format "%s@%s" (user-real-login-name) (system-name))) AFAIK, no other browser out there provide this misfeature. It seems like something from the happy 1990's that has completely outlived any usefulness, assuming that it was at all useful even to begin with. Providing a way to get back to the old behaviour is just re-introducing a bad, bad footgun. Keeping it around puts users at risk. So I think we shouldn't do that.