From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by olra.theworths.org (Postfix) with ESMTP id 480AD431FC9 for ; Wed, 21 Jan 2015 13:01:06 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at olra.theworths.org X-Spam-Flag: NO X-Spam-Score: 2.438 X-Spam-Level: ** X-Spam-Status: No, score=2.438 tagged_above=-999 required=5 tests=[DNS_FROM_AHBL_RHSBL=2.438] autolearn=disabled Received: from olra.theworths.org ([127.0.0.1]) by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d+F6aPWbu1kN for ; Wed, 21 Jan 2015 13:01:03 -0800 (PST) Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by olra.theworths.org (Postfix) with ESMTP id 1134A431FBC for ; Wed, 21 Jan 2015 13:01:03 -0800 (PST) Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id DF9A2F984 for ; Wed, 21 Jan 2015 16:00:56 -0500 (EST) Received: by fifthhorseman.net (Postfix, from userid 1000) id 98AF220028; Wed, 21 Jan 2015 16:01:03 -0500 (EST) From: Daniel Kahn Gillmor To: notmuch mailing list Subject: privacy problem: text/html parts pull in network resources User-Agent: Notmuch/0.18.2 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-pc-linux-gnu) Date: Wed, 21 Jan 2015 16:00:59 -0500 Message-ID: <87ppa7q25w.fsf@alice.fifthhorseman.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2015 21:01:06 -0000 --=-=-= Content-Type: text/plain If i send a message with a text/html part (either it's only text/html, or all parts are rendered, or it's multipart/alternative with only a text/html subpart) and that HTML has in it, then notmuch will make a network request for that image. This is a privacy disaster, because it enables an e-mail sender to use "web bugs" to tell when a given notmuch user has opened their e-mail. It's also a bit of a consistency/storage/indexing disaster because it means that what you see when you open a given message will change depending on the network environment you're in when you open it. It's also potentially a security problem because it means that anyone in control of the remote server (or the network between you and the remote server if the image isn't sourced over https) can feed arbitrary data into whatever emacs image rendering library is being used. (granted, this is not a unique problem because this can already be done by the original message sender with a multipart/mixed message, but it's an additional exposure of attack surface) I just raised this on #notmuch, and i don't have the time or the knowledge to look into it now, but i think the defaults here need to be to avoid network access entirely unless the user explicitly requests it. --dkg --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJUwBOMXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQjk2OTEyODdBN0FEREUzNzU3RDkxMUVB NTI0MDFCMTFCRkRGQTVDAAoJEKUkAbEb/fpcKuAQAMnuWN5NfRUQicnrwnwcyNnu oZNk3nI8KisTm3UrURDq33ltlB9nDFBTImkfeZDGei+Swiqat2I6l1QXvGAUoTOE g7cdEpPkWZ1M0us14ymZTc4JZ24qTw5TIfD3So0NzO+hT/laQ7rlzvU7YZ9WT8yx Waq/1JtZihLwxZ7828oQ6AgalOyo8yAu2n6svoSeYukVJz5FCQIJtKBOqdWdmxGj sjdnxxklJymrXJnAlNVnESf8RW9x4IszWs2xmgea6DjuSKml85RpIiIkD653GL3C Doua5vIeAQ5qDA3o7IK3QimZRPD3z8cXeyQ4+yH259lNIo/dzekxAXjDvNWs12P+ SMwPm099bSSCPenG/jT9wz7RrUjWNFL1c7PbGLRuQzk8vyF66yLHnLIamA+wSSTu 78jLnn0yCgyu1H9X38W8nnKu/U91xDxQKkA7W/ys4jI5+hBViCwsyet/O0xR/ALd aGHMTSp6Ec3e7kOLZnaEvYtUQmZuDlkz1KtASh3R+T27EFaXiUUx7X5UVCyQLoN0 D4k+1i/6V6FjZbNSq0Wol7gMpSK4k6MYTkv0MV+IzJHaegmMHIulltR8rpKGhNDj deeFJg0boYt0g3MtYr0EX8Y9aG1B/xhlhr/p7lPF5oVs1nfp0tDXAVEp5Slu/y20 i24iTRcKqnuPLK3rndD6 =aVPR -----END PGP SIGNATURE----- --=-=-=--