From: Tomi Ollila <tomi.ollila@iki.fi>
Date: Thu, 22 Jan 2015 07:25:39 +0000 (+0200)
Subject: Re: privacy problem: text/html parts pull in network resources
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=93a4c2b11b2520ad25740ef965d6b3f052b2d8f3;p=notmuch-archives.git

Re: privacy problem: text/html parts pull in network resources
---

diff --git a/bb/f9932381fc624044eb4a047146896130fc3dbe b/bb/f9932381fc624044eb4a047146896130fc3dbe
new file mode 100644
index 000000000..59293f25b
--- /dev/null
+++ b/bb/f9932381fc624044eb4a047146896130fc3dbe
@@ -0,0 +1,107 @@
+Return-Path: <tomi.ollila@iki.fi>
+X-Original-To: notmuch@notmuchmail.org
+Delivered-To: notmuch@notmuchmail.org
+Received: from localhost (localhost [127.0.0.1])
+	by olra.theworths.org (Postfix) with ESMTP id 8B94E431FC9
+	for <notmuch@notmuchmail.org>; Wed, 21 Jan 2015 23:26:21 -0800 (PST)
+X-Virus-Scanned: Debian amavisd-new at olra.theworths.org
+X-Spam-Flag: NO
+X-Spam-Score: 2.438
+X-Spam-Level: **
+X-Spam-Status: No, score=2.438 tagged_above=-999 required=5
+	tests=[DNS_FROM_AHBL_RHSBL=2.438] autolearn=disabled
+Received: from olra.theworths.org ([127.0.0.1])
+	by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)
+	with ESMTP id ujX1dOUdWGHg for <notmuch@notmuchmail.org>;
+	Wed, 21 Jan 2015 23:26:11 -0800 (PST)
+Received: from guru.guru-group.fi (guru.guru-group.fi [46.183.73.34])
+	by olra.theworths.org (Postfix) with ESMTP id 90975431FBC
+	for <notmuch@notmuchmail.org>; Wed, 21 Jan 2015 23:26:09 -0800 (PST)
+Received: from guru.guru-group.fi (localhost [IPv6:::1])
+	by guru.guru-group.fi (Postfix) with ESMTP id E839E1000E0;
+	Thu, 22 Jan 2015 09:25:39 +0200 (EET)
+From: Tomi Ollila <tomi.ollila@iki.fi>
+To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
+	notmuch mailing list <notmuch@notmuchmail.org>
+Subject: Re: privacy problem: text/html parts pull in network resources
+In-Reply-To: <87ppa7q25w.fsf@alice.fifthhorseman.net>
+References: <87ppa7q25w.fsf@alice.fifthhorseman.net>
+User-Agent: Notmuch/0.19+29~g7367d27 (http://notmuchmail.org) Emacs/24.3.1
+	(x86_64-unknown-linux-gnu)
+X-Face: HhBM'cA~<r"^Xv\KRN0P{vn'Y"Kd;zg_y3S[4)KSN~s?O\"QPoL
+	$[Xv_BD:i/F$WiEWax}R(MPS`^UaptOGD`*/=@\1lKoVa9tnrg0TW?"r7aRtgk[F
+	!)g;OY^,BjTbr)Np:%c_o'jj,Z
+Date: Thu, 22 Jan 2015 09:25:39 +0200
+Message-ID: <m2sif3tgy4.fsf@guru.guru-group.fi>
+MIME-Version: 1.0
+Content-Type: text/plain
+X-BeenThere: notmuch@notmuchmail.org
+X-Mailman-Version: 2.1.13
+Precedence: list
+List-Id: "Use and development of the notmuch mail system."
+	<notmuch.notmuchmail.org>
+List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,
+	<mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
+List-Archive: <http://notmuchmail.org/pipermail/notmuch>
+List-Post: <mailto:notmuch@notmuchmail.org>
+List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
+List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,
+	<mailto:notmuch-request@notmuchmail.org?subject=subscribe>
+X-List-Received-Date: Thu, 22 Jan 2015 07:26:21 -0000
+
+On Wed, Jan 21 2015, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
+
+> If i send a message with a text/html part (either it's only text/html,
+> or all parts are rendered, or it's multipart/alternative with only a
+> text/html subpart) and that HTML has <img
+> src="http://example.org/test.png"/> in it, then notmuch will make a
+> network request for that image.
+
+I noticed the same a few days ago and first test to avoid that was 
+
+(defun open-network-stream (&rest) nil)
+
+(but then I tried to send email and that failed ;/)
+
+next was M-x debug-on-entry RER open-network-stream RET
+
+... but I don,t remember how to manipulate how that continues.
+
+Latest I've been thinking defadvice around open-network-stream which
+asks whether to proceed to it or just return nil.
+
+I'd like to have buffer-local defadvices... ;) .. but there one could
+probably store original open-network-stream location and then flet (or
+was it letf) it there...
+
+Anyway, if there is better, more robust alternative I am (also) very
+interested of it...
+
+Tomi
+
+
+>
+> This is a privacy disaster, because it enables an e-mail sender to use
+> "web bugs" to tell when a given notmuch user has opened their e-mail.
+>
+> It's also a bit of a consistency/storage/indexing disaster because it
+> means that what you see when you open a given message will change
+> depending on the network environment you're in when you open it.
+>
+> It's also potentially a security problem because it means that anyone in
+> control of the remote server (or the network between you and the remote
+> server if the image isn't sourced over https) can feed arbitrary data
+> into whatever emacs image rendering library is being used.  (granted,
+> this is not a unique problem because this can already be done by the
+> original message sender with a multipart/mixed message, but it's an
+> additional exposure of attack surface)
+>
+> I just raised this on #notmuch, and i don't have the time or the
+> knowledge to look into it now, but i think the defaults here need to be
+> to avoid network access entirely unless the user explicitly requests it.
+>
+>    --dkg
+> _______________________________________________
+> notmuch mailing list
+> notmuch@notmuchmail.org
+> http://notmuchmail.org/mailman/listinfo/notmuch