From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: notmuch mailing list <notmuch@notmuchmail.org>
Subject: privacy problem: text/html parts pull in network resources
Date: Wed, 21 Jan 2015 16:00:59 -0500 [thread overview]
Message-ID: <87ppa7q25w.fsf@alice.fifthhorseman.net> (raw)
[-- Attachment #1: Type: text/plain, Size: 1309 bytes --]
If i send a message with a text/html part (either it's only text/html,
or all parts are rendered, or it's multipart/alternative with only a
text/html subpart) and that HTML has <img
src="http://example.org/test.png"/> in it, then notmuch will make a
network request for that image.
This is a privacy disaster, because it enables an e-mail sender to use
"web bugs" to tell when a given notmuch user has opened their e-mail.
It's also a bit of a consistency/storage/indexing disaster because it
means that what you see when you open a given message will change
depending on the network environment you're in when you open it.
It's also potentially a security problem because it means that anyone in
control of the remote server (or the network between you and the remote
server if the image isn't sourced over https) can feed arbitrary data
into whatever emacs image rendering library is being used. (granted,
this is not a unique problem because this can already be done by the
original message sender with a multipart/mixed message, but it's an
additional exposure of attack surface)
I just raised this on #notmuch, and i don't have the time or the
knowledge to look into it now, but i think the defaults here need to be
to avoid network access entirely unless the user explicitly requests it.
--dkg
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 948 bytes --]
next reply other threads:[~2015-01-21 21:01 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-21 21:00 Daniel Kahn Gillmor [this message]
2015-01-21 21:14 ` privacy problem: text/html parts pull in network resources Austin Clements
2015-01-21 21:36 ` Daniel Kahn Gillmor
2015-01-21 22:39 ` Austin Clements
2015-01-21 21:46 ` David Bremner
2015-01-22 7:25 ` Tomi Ollila
2015-01-25 17:51 ` David Bremner
2015-01-28 3:47 ` Daniel Kahn Gillmor
2015-01-28 4:44 ` Jinwoo Lee
2015-01-28 23:57 ` Jinwoo Lee
2015-01-29 18:03 ` Daniel Kahn Gillmor
2015-01-29 18:14 ` Jinwoo Lee
2015-01-30 12:12 ` David Edmondson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://notmuchmail.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ppa7q25w.fsf@alice.fifthhorseman.net \
--to=dkg@fifthhorseman.net \
--cc=notmuch@notmuchmail.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhetil.org/notmuch.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).