1 Return-Path: <tomi.ollila@iki.fi>
\r
2 X-Original-To: notmuch@notmuchmail.org
\r
3 Delivered-To: notmuch@notmuchmail.org
\r
4 Received: from localhost (localhost [127.0.0.1])
\r
5 by olra.theworths.org (Postfix) with ESMTP id 8B94E431FC9
\r
6 for <notmuch@notmuchmail.org>; Wed, 21 Jan 2015 23:26:21 -0800 (PST)
\r
7 X-Virus-Scanned: Debian amavisd-new at olra.theworths.org
\r
11 X-Spam-Status: No, score=2.438 tagged_above=-999 required=5
\r
12 tests=[DNS_FROM_AHBL_RHSBL=2.438] autolearn=disabled
\r
13 Received: from olra.theworths.org ([127.0.0.1])
\r
14 by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)
\r
15 with ESMTP id ujX1dOUdWGHg for <notmuch@notmuchmail.org>;
\r
16 Wed, 21 Jan 2015 23:26:11 -0800 (PST)
\r
17 Received: from guru.guru-group.fi (guru.guru-group.fi [46.183.73.34])
\r
18 by olra.theworths.org (Postfix) with ESMTP id 90975431FBC
\r
19 for <notmuch@notmuchmail.org>; Wed, 21 Jan 2015 23:26:09 -0800 (PST)
\r
20 Received: from guru.guru-group.fi (localhost [IPv6:::1])
\r
21 by guru.guru-group.fi (Postfix) with ESMTP id E839E1000E0;
\r
22 Thu, 22 Jan 2015 09:25:39 +0200 (EET)
\r
23 From: Tomi Ollila <tomi.ollila@iki.fi>
\r
24 To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
\r
25 notmuch mailing list <notmuch@notmuchmail.org>
\r
26 Subject: Re: privacy problem: text/html parts pull in network resources
\r
27 In-Reply-To: <87ppa7q25w.fsf@alice.fifthhorseman.net>
\r
28 References: <87ppa7q25w.fsf@alice.fifthhorseman.net>
\r
29 User-Agent: Notmuch/0.19+29~g7367d27 (http://notmuchmail.org) Emacs/24.3.1
\r
30 (x86_64-unknown-linux-gnu)
\r
31 X-Face: HhBM'cA~<r"^Xv\KRN0P{vn'Y"Kd;zg_y3S[4)KSN~s?O\"QPoL
\r
32 $[Xv_BD:i/F$WiEWax}R(MPS`^UaptOGD`*/=@\1lKoVa9tnrg0TW?"r7aRtgk[F
\r
33 !)g;OY^,BjTbr)Np:%c_o'jj,Z
\r
34 Date: Thu, 22 Jan 2015 09:25:39 +0200
\r
35 Message-ID: <m2sif3tgy4.fsf@guru.guru-group.fi>
\r
37 Content-Type: text/plain
\r
38 X-BeenThere: notmuch@notmuchmail.org
\r
39 X-Mailman-Version: 2.1.13
\r
41 List-Id: "Use and development of the notmuch mail system."
\r
42 <notmuch.notmuchmail.org>
\r
43 List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,
\r
44 <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
\r
45 List-Archive: <http://notmuchmail.org/pipermail/notmuch>
\r
46 List-Post: <mailto:notmuch@notmuchmail.org>
\r
47 List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
\r
48 List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,
\r
49 <mailto:notmuch-request@notmuchmail.org?subject=subscribe>
\r
50 X-List-Received-Date: Thu, 22 Jan 2015 07:26:21 -0000
\r
52 On Wed, Jan 21 2015, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
\r
54 > If i send a message with a text/html part (either it's only text/html,
\r
55 > or all parts are rendered, or it's multipart/alternative with only a
\r
56 > text/html subpart) and that HTML has <img
\r
57 > src="http://example.org/test.png"/> in it, then notmuch will make a
\r
58 > network request for that image.
\r
60 I noticed the same a few days ago and first test to avoid that was
\r
62 (defun open-network-stream (&rest) nil)
\r
64 (but then I tried to send email and that failed ;/)
\r
66 next was M-x debug-on-entry RER open-network-stream RET
\r
68 ... but I don,t remember how to manipulate how that continues.
\r
70 Latest I've been thinking defadvice around open-network-stream which
\r
71 asks whether to proceed to it or just return nil.
\r
73 I'd like to have buffer-local defadvices... ;) .. but there one could
\r
74 probably store original open-network-stream location and then flet (or
\r
75 was it letf) it there...
\r
77 Anyway, if there is better, more robust alternative I am (also) very
\r
84 > This is a privacy disaster, because it enables an e-mail sender to use
\r
85 > "web bugs" to tell when a given notmuch user has opened their e-mail.
\r
87 > It's also a bit of a consistency/storage/indexing disaster because it
\r
88 > means that what you see when you open a given message will change
\r
89 > depending on the network environment you're in when you open it.
\r
91 > It's also potentially a security problem because it means that anyone in
\r
92 > control of the remote server (or the network between you and the remote
\r
93 > server if the image isn't sourced over https) can feed arbitrary data
\r
94 > into whatever emacs image rendering library is being used. (granted,
\r
95 > this is not a unique problem because this can already be done by the
\r
96 > original message sender with a multipart/mixed message, but it's an
\r
97 > additional exposure of attack surface)
\r
99 > I just raised this on #notmuch, and i don't have the time or the
\r
100 > knowledge to look into it now, but i think the defaults here need to be
\r
101 > to avoid network access entirely unless the user explicitly requests it.
\r
104 > _______________________________________________
\r
105 > notmuch mailing list
\r
106 > notmuch@notmuchmail.org
\r
107 > http://notmuchmail.org/mailman/listinfo/notmuch
\r