From ea5aa37aa7756a4fed7c66d0871fb79191b1c274 Mon Sep 17 00:00:00 2001 From: Jinwoo Lee Date: Thu, 29 Jan 2015 15:57:25 +1600 Subject: [PATCH] Re: privacy problem: text/html parts pull in network resources --- f2/be6b1a973d74b5fdfd97ef2b5dfc922e03fc31 | 119 ++++++++++++++++++++++ 1 file changed, 119 insertions(+) create mode 100644 f2/be6b1a973d74b5fdfd97ef2b5dfc922e03fc31 diff --git a/f2/be6b1a973d74b5fdfd97ef2b5dfc922e03fc31 b/f2/be6b1a973d74b5fdfd97ef2b5dfc922e03fc31 new file mode 100644 index 000000000..554ce6a48 --- /dev/null +++ b/f2/be6b1a973d74b5fdfd97ef2b5dfc922e03fc31 @@ -0,0 +1,119 @@ +Return-Path: +X-Original-To: notmuch@notmuchmail.org +Delivered-To: notmuch@notmuchmail.org +Received: from localhost (localhost [127.0.0.1]) + by olra.theworths.org (Postfix) with ESMTP id 02A0F431FBC + for ; Wed, 28 Jan 2015 15:57:34 -0800 (PST) +X-Virus-Scanned: Debian amavisd-new at olra.theworths.org +X-Spam-Flag: NO +X-Spam-Score: 2.639 +X-Spam-Level: ** +X-Spam-Status: No, score=2.639 tagged_above=-999 required=5 + tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, + DNS_FROM_AHBL_RHSBL=2.438, FREEMAIL_ENVFROM_END_DIGIT=1, + FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=disabled +Received: from olra.theworths.org ([127.0.0.1]) + by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) + with ESMTP id bIf3d2beiV4L for ; + Wed, 28 Jan 2015 15:57:31 -0800 (PST) +Received: from mail-ie0-f174.google.com (mail-ie0-f174.google.com + [209.85.223.174]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) + (No client certificate requested) + by olra.theworths.org (Postfix) with ESMTPS id A737C431FAF + for ; Wed, 28 Jan 2015 15:57:31 -0800 (PST) +Received: by mail-ie0-f174.google.com with SMTP id vy18so26838099iec.5 + for ; Wed, 28 Jan 2015 15:57:30 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; + h=from:to:subject:in-reply-to:references:user-agent:date:message-id + :mime-version:content-type; + bh=CZeHqn05Il8pW1gKIjICIUJUwMnjdwNdmpcL31yPQ1c=; + b=pluu0IqSVNPcLVsuRwrk1mwjEBek0wdEMyqdEaNBUQ1EUqGwezu/Vsoo0l4vZIMM5X + xbMUn3LfceF/eK2DicFBCsNcdqDeDrO4MLa3Yzy1T0EwotEKfANJLOd6nNIltP+LXiQY + RPiT8plqi5VM3MEyctoNS24cDWZzp5Rut0rPLjPSCFGnLbT+H6PjttObctwPLWDty0fk + protDkFpA4YJ2QtGZudKuyFNYEcR+m3j0YA7Oss5eUu9epGP/QO1eAtM/A3i31ITAb5A + rnMeA9JJDDcUIzx12WtE92na4rF9gLbATqoHlyHUUoKJPPB5OUoriLOkvamwHb2iJ4k0 + lzjg== +X-Received: by 10.42.95.12 with SMTP id d12mr318766icn.12.1422489449159; + Wed, 28 Jan 2015 15:57:29 -0800 (PST) +Received: from localhost ([2620:0:1000:407c:8db0:2697:618e:7748]) + by mx.google.com with ESMTPSA id hg18sm198261igb.1.2015.01.28.15.57.28 + (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); + Wed, 28 Jan 2015 15:57:28 -0800 (PST) +From: Jinwoo Lee +To: Daniel Kahn Gillmor , + David Bremner , + notmuch mailing list +Subject: Re: privacy problem: text/html parts pull in network resources +In-Reply-To: +References: <87ppa7q25w.fsf@alice.fifthhorseman.net> + <87fvay3g0g.fsf@maritornes.cs.unb.ca> + <871tmfin1k.fsf@alice.fifthhorseman.net> + +User-Agent: Notmuch/0.18.1 (http://notmuchmail.org) Emacs/24.4.1 + (x86_64-apple-darwin13.2.0) +Date: Wed, 28 Jan 2015 15:57:25 -0800 +Message-ID: +MIME-Version: 1.0 +Content-Type: text/plain +X-BeenThere: notmuch@notmuchmail.org +X-Mailman-Version: 2.1.13 +Precedence: list +List-Id: "Use and development of the notmuch mail system." + +List-Unsubscribe: , + +List-Archive: +List-Post: +List-Help: +List-Subscribe: , + +X-List-Received-Date: Wed, 28 Jan 2015 23:57:35 -0000 + +On Tue, Jan 27, 2015 at 08:44 PM, Jinwoo Lee wrote: +> On Tue, Jan 27, 2015 at 07:47 PM, Daniel Kahn Gillmor wrote: +>> On Sun 2015-01-25 12:51:43 -0500, David Bremner wrote: +>>> Daniel Kahn Gillmor writes: +>>> +>>>> If i send a message with a text/html part (either it's only text/html, +>>>> or all parts are rendered, or it's multipart/alternative with only a +>>>> text/html subpart) and that HTML has >>> src="http://example.org/test.png"/> in it, then notmuch will make a +>>>> network request for that image. +>>>> +>>>> This is a privacy disaster, because it enables an e-mail sender to use +>>>> "web bugs" to tell when a given notmuch user has opened their e-mail. +>>> +>>> I've just pushed Austin's shr related series to master, so this problem +>>> should be fixed as of commit b74ed1c. One tradeoff that we should at +>>> least remark in NEWS, if not actually fix, is that I think there is now +>>> no way to view such images in notmuch. I don't know offhand what other +>>> html renderers will do. +>> +>> thanks for this, David and Austin! +>> +>> Other html-rendering mail clients that are privacy-conscious will often +>> provide a button or mechanism to indicate that some remote resources +>> were requested by the page but weren't fetched (e.g. a button saying +>> something like [Load Remote Images...]). I have no idea who actually +>> clicks on those buttons (or why), though, and even if we wanted them, +>> we'd only want to add a button on an image that actually had remote +>> network resources to load, and i don't know how we'd get that +>> information propagated back up the rendering stack to make such a +>> display decision. So i'm fine with leaving it this way for now. +> +> Well, most promotional emails contain remote images and their contents +> are incomprehensible without those images. I ignore most of them but I +> do read a few of those promotional emails. It would be great to have a +> UI for loading remote resources. + +Do you mind if I add a boolean defcustom, which determines whether to +block remote images? Its default value will be T (block), but people +who want to see remote images can customize it. + +> +>> +>> --dkg +>> _______________________________________________ +>> notmuch mailing list +>> notmuch@notmuchmail.org +>> http://notmuchmail.org/mailman/listinfo/notmuch -- 2.26.2