From 0597ff60cc8812f2fb91d4af58768c2fc6ffa364 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 22 Jan 2015 16:00:59 +1900 Subject: [PATCH] privacy problem: text/html parts pull in network resources --- 64/2788c1fe26d614aa5bf37fae5ee3cb3593eb00 | 101 ++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 64/2788c1fe26d614aa5bf37fae5ee3cb3593eb00 diff --git a/64/2788c1fe26d614aa5bf37fae5ee3cb3593eb00 b/64/2788c1fe26d614aa5bf37fae5ee3cb3593eb00 new file mode 100644 index 000000000..83a965d71 --- /dev/null +++ b/64/2788c1fe26d614aa5bf37fae5ee3cb3593eb00 @@ -0,0 +1,101 @@ +Return-Path: +X-Original-To: notmuch@notmuchmail.org +Delivered-To: notmuch@notmuchmail.org +Received: from localhost (localhost [127.0.0.1]) + by olra.theworths.org (Postfix) with ESMTP id 480AD431FC9 + for ; Wed, 21 Jan 2015 13:01:06 -0800 (PST) +X-Virus-Scanned: Debian amavisd-new at olra.theworths.org +X-Spam-Flag: NO +X-Spam-Score: 2.438 +X-Spam-Level: ** +X-Spam-Status: No, score=2.438 tagged_above=-999 required=5 + tests=[DNS_FROM_AHBL_RHSBL=2.438] autolearn=disabled +Received: from olra.theworths.org ([127.0.0.1]) + by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) + with ESMTP id d+F6aPWbu1kN for ; + Wed, 21 Jan 2015 13:01:03 -0800 (PST) +Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) + by olra.theworths.org (Postfix) with ESMTP id 1134A431FBC + for ; Wed, 21 Jan 2015 13:01:03 -0800 (PST) +Received: from fifthhorseman.net (unknown [38.109.115.130]) + by che.mayfirst.org (Postfix) with ESMTPSA id DF9A2F984 + for ; Wed, 21 Jan 2015 16:00:56 -0500 (EST) +Received: by fifthhorseman.net (Postfix, from userid 1000) + id 98AF220028; Wed, 21 Jan 2015 16:01:03 -0500 (EST) +From: Daniel Kahn Gillmor +To: notmuch mailing list +Subject: privacy problem: text/html parts pull in network resources +User-Agent: Notmuch/0.18.2 (http://notmuchmail.org) Emacs/24.4.1 + (x86_64-pc-linux-gnu) +Date: Wed, 21 Jan 2015 16:00:59 -0500 +Message-ID: <87ppa7q25w.fsf@alice.fifthhorseman.net> +MIME-Version: 1.0 +Content-Type: multipart/signed; boundary="=-=-="; + micalg=pgp-sha512; protocol="application/pgp-signature" +X-BeenThere: notmuch@notmuchmail.org +X-Mailman-Version: 2.1.13 +Precedence: list +List-Id: "Use and development of the notmuch mail system." + +List-Unsubscribe: , + +List-Archive: +List-Post: +List-Help: +List-Subscribe: , + +X-List-Received-Date: Wed, 21 Jan 2015 21:01:06 -0000 + +--=-=-= +Content-Type: text/plain + +If i send a message with a text/html part (either it's only text/html, +or all parts are rendered, or it's multipart/alternative with only a +text/html subpart) and that HTML has in it, then notmuch will make a +network request for that image. + +This is a privacy disaster, because it enables an e-mail sender to use +"web bugs" to tell when a given notmuch user has opened their e-mail. + +It's also a bit of a consistency/storage/indexing disaster because it +means that what you see when you open a given message will change +depending on the network environment you're in when you open it. + +It's also potentially a security problem because it means that anyone in +control of the remote server (or the network between you and the remote +server if the image isn't sourced over https) can feed arbitrary data +into whatever emacs image rendering library is being used. (granted, +this is not a unique problem because this can already be done by the +original message sender with a multipart/mixed message, but it's an +additional exposure of attack surface) + +I just raised this on #notmuch, and i don't have the time or the +knowledge to look into it now, but i think the defaults here need to be +to avoid network access entirely unless the user explicitly requests it. + + --dkg + +--=-=-= +Content-Type: application/pgp-signature; name="signature.asc" + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQJ8BAEBCgBmBQJUwBOMXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w +ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQjk2OTEyODdBN0FEREUzNzU3RDkxMUVB +NTI0MDFCMTFCRkRGQTVDAAoJEKUkAbEb/fpcKuAQAMnuWN5NfRUQicnrwnwcyNnu +oZNk3nI8KisTm3UrURDq33ltlB9nDFBTImkfeZDGei+Swiqat2I6l1QXvGAUoTOE +g7cdEpPkWZ1M0us14ymZTc4JZ24qTw5TIfD3So0NzO+hT/laQ7rlzvU7YZ9WT8yx +Waq/1JtZihLwxZ7828oQ6AgalOyo8yAu2n6svoSeYukVJz5FCQIJtKBOqdWdmxGj +sjdnxxklJymrXJnAlNVnESf8RW9x4IszWs2xmgea6DjuSKml85RpIiIkD653GL3C +Doua5vIeAQ5qDA3o7IK3QimZRPD3z8cXeyQ4+yH259lNIo/dzekxAXjDvNWs12P+ +SMwPm099bSSCPenG/jT9wz7RrUjWNFL1c7PbGLRuQzk8vyF66yLHnLIamA+wSSTu +78jLnn0yCgyu1H9X38W8nnKu/U91xDxQKkA7W/ys4jI5+hBViCwsyet/O0xR/ALd +aGHMTSp6Ec3e7kOLZnaEvYtUQmZuDlkz1KtASh3R+T27EFaXiUUx7X5UVCyQLoN0 +D4k+1i/6V6FjZbNSq0Wol7gMpSK4k6MYTkv0MV+IzJHaegmMHIulltR8rpKGhNDj +deeFJg0boYt0g3MtYr0EX8Y9aG1B/xhlhr/p7lPF5oVs1nfp0tDXAVEp5Slu/y20 +i24iTRcKqnuPLK3rndD6 +=aVPR +-----END PGP SIGNATURE----- +--=-=-=-- -- 2.26.2