--- /dev/null
+Return-Path: <dkg@fifthhorseman.net>\r
+X-Original-To: notmuch@notmuchmail.org\r
+Delivered-To: notmuch@notmuchmail.org\r
+Received: from localhost (localhost [127.0.0.1])\r
+ by olra.theworths.org (Postfix) with ESMTP id 480AD431FC9\r
+ for <notmuch@notmuchmail.org>; Wed, 21 Jan 2015 13:01:06 -0800 (PST)\r
+X-Virus-Scanned: Debian amavisd-new at olra.theworths.org\r
+X-Spam-Flag: NO\r
+X-Spam-Score: 2.438\r
+X-Spam-Level: **\r
+X-Spam-Status: No, score=2.438 tagged_above=-999 required=5\r
+ tests=[DNS_FROM_AHBL_RHSBL=2.438] autolearn=disabled\r
+Received: from olra.theworths.org ([127.0.0.1])\r
+ by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)\r
+ with ESMTP id d+F6aPWbu1kN for <notmuch@notmuchmail.org>;\r
+ Wed, 21 Jan 2015 13:01:03 -0800 (PST)\r
+Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108])\r
+ by olra.theworths.org (Postfix) with ESMTP id 1134A431FBC\r
+ for <notmuch@notmuchmail.org>; Wed, 21 Jan 2015 13:01:03 -0800 (PST)\r
+Received: from fifthhorseman.net (unknown [38.109.115.130])\r
+ by che.mayfirst.org (Postfix) with ESMTPSA id DF9A2F984\r
+ for <notmuch@notmuchmail.org>; Wed, 21 Jan 2015 16:00:56 -0500 (EST)\r
+Received: by fifthhorseman.net (Postfix, from userid 1000)\r
+ id 98AF220028; Wed, 21 Jan 2015 16:01:03 -0500 (EST)\r
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>\r
+To: notmuch mailing list <notmuch@notmuchmail.org>\r
+Subject: privacy problem: text/html parts pull in network resources\r
+User-Agent: Notmuch/0.18.2 (http://notmuchmail.org) Emacs/24.4.1\r
+ (x86_64-pc-linux-gnu)\r
+Date: Wed, 21 Jan 2015 16:00:59 -0500\r
+Message-ID: <87ppa7q25w.fsf@alice.fifthhorseman.net>\r
+MIME-Version: 1.0\r
+Content-Type: multipart/signed; boundary="=-=-=";\r
+ micalg=pgp-sha512; protocol="application/pgp-signature"\r
+X-BeenThere: notmuch@notmuchmail.org\r
+X-Mailman-Version: 2.1.13\r
+Precedence: list\r
+List-Id: "Use and development of the notmuch mail system."\r
+ <notmuch.notmuchmail.org>\r
+List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,\r
+ <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>\r
+List-Archive: <http://notmuchmail.org/pipermail/notmuch>\r
+List-Post: <mailto:notmuch@notmuchmail.org>\r
+List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>\r
+List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,\r
+ <mailto:notmuch-request@notmuchmail.org?subject=subscribe>\r
+X-List-Received-Date: Wed, 21 Jan 2015 21:01:06 -0000\r
+\r
+--=-=-=\r
+Content-Type: text/plain\r
+\r
+If i send a message with a text/html part (either it's only text/html,\r
+or all parts are rendered, or it's multipart/alternative with only a\r
+text/html subpart) and that HTML has <img\r
+src="http://example.org/test.png"/> in it, then notmuch will make a\r
+network request for that image.\r
+\r
+This is a privacy disaster, because it enables an e-mail sender to use\r
+"web bugs" to tell when a given notmuch user has opened their e-mail.\r
+\r
+It's also a bit of a consistency/storage/indexing disaster because it\r
+means that what you see when you open a given message will change\r
+depending on the network environment you're in when you open it.\r
+\r
+It's also potentially a security problem because it means that anyone in\r
+control of the remote server (or the network between you and the remote\r
+server if the image isn't sourced over https) can feed arbitrary data\r
+into whatever emacs image rendering library is being used. (granted,\r
+this is not a unique problem because this can already be done by the\r
+original message sender with a multipart/mixed message, but it's an\r
+additional exposure of attack surface)\r
+\r
+I just raised this on #notmuch, and i don't have the time or the\r
+knowledge to look into it now, but i think the defaults here need to be\r
+to avoid network access entirely unless the user explicitly requests it.\r
+\r
+ --dkg\r
+\r
+--=-=-=\r
+Content-Type: application/pgp-signature; name="signature.asc"\r
+\r
+-----BEGIN PGP SIGNATURE-----\r
+Version: GnuPG v1\r
+\r
+iQJ8BAEBCgBmBQJUwBOMXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w\r
+ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQjk2OTEyODdBN0FEREUzNzU3RDkxMUVB\r
+NTI0MDFCMTFCRkRGQTVDAAoJEKUkAbEb/fpcKuAQAMnuWN5NfRUQicnrwnwcyNnu\r
+oZNk3nI8KisTm3UrURDq33ltlB9nDFBTImkfeZDGei+Swiqat2I6l1QXvGAUoTOE\r
+g7cdEpPkWZ1M0us14ymZTc4JZ24qTw5TIfD3So0NzO+hT/laQ7rlzvU7YZ9WT8yx\r
+Waq/1JtZihLwxZ7828oQ6AgalOyo8yAu2n6svoSeYukVJz5FCQIJtKBOqdWdmxGj\r
+sjdnxxklJymrXJnAlNVnESf8RW9x4IszWs2xmgea6DjuSKml85RpIiIkD653GL3C\r
+Doua5vIeAQ5qDA3o7IK3QimZRPD3z8cXeyQ4+yH259lNIo/dzekxAXjDvNWs12P+\r
+SMwPm099bSSCPenG/jT9wz7RrUjWNFL1c7PbGLRuQzk8vyF66yLHnLIamA+wSSTu\r
+78jLnn0yCgyu1H9X38W8nnKu/U91xDxQKkA7W/ys4jI5+hBViCwsyet/O0xR/ALd\r
+aGHMTSp6Ec3e7kOLZnaEvYtUQmZuDlkz1KtASh3R+T27EFaXiUUx7X5UVCyQLoN0\r
+D4k+1i/6V6FjZbNSq0Wol7gMpSK4k6MYTkv0MV+IzJHaegmMHIulltR8rpKGhNDj\r
+deeFJg0boYt0g3MtYr0EX8Y9aG1B/xhlhr/p7lPF5oVs1nfp0tDXAVEp5Slu/y20\r
+i24iTRcKqnuPLK3rndD6\r
+=aVPR\r
+-----END PGP SIGNATURE-----\r
+--=-=-=--\r
projects / notmuch-archives.git / commitdiff