1 Return-Path: <aclements@csail.mit.edu>
\r
2 X-Original-To: notmuch@notmuchmail.org
\r
3 Delivered-To: notmuch@notmuchmail.org
\r
4 Received: from localhost (localhost [127.0.0.1])
\r
5 by olra.theworths.org (Postfix) with ESMTP id A0E78431FC9
\r
6 for <notmuch@notmuchmail.org>; Wed, 21 Jan 2015 13:14:15 -0800 (PST)
\r
7 X-Virus-Scanned: Debian amavisd-new at olra.theworths.org
\r
11 X-Spam-Status: No, score=0.138 tagged_above=-999 required=5
\r
12 tests=[DNS_FROM_AHBL_RHSBL=2.438, RCVD_IN_DNSWL_MED=-2.3]
\r
14 Received: from olra.theworths.org ([127.0.0.1])
\r
15 by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)
\r
16 with ESMTP id RaOTj7P383G7 for <notmuch@notmuchmail.org>;
\r
17 Wed, 21 Jan 2015 13:14:13 -0800 (PST)
\r
18 Received: from outgoing.csail.mit.edu (outgoing.csail.mit.edu [128.30.2.149])
\r
19 by olra.theworths.org (Postfix) with ESMTP id EE39B431FBC
\r
20 for <notmuch@notmuchmail.org>; Wed, 21 Jan 2015 13:14:12 -0800 (PST)
\r
21 Received: from [104.131.20.129] (helo=awakeningjr)
\r
22 by outgoing.csail.mit.edu with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16)
\r
23 (Exim 4.72) (envelope-from <aclements@csail.mit.edu>)
\r
24 id 1YE2bH-0007IS-T3; Wed, 21 Jan 2015 16:14:07 -0500
\r
25 Received: from amthrax by awakeningjr with local (Exim 4.84)
\r
26 (envelope-from <aclements@csail.mit.edu>)
\r
27 id 1YE2bH-0001Oc-Eu; Wed, 21 Jan 2015 16:14:07 -0500
\r
28 Date: Wed, 21 Jan 2015 16:14:07 -0500
\r
29 From: Austin Clements <aclements@csail.mit.edu>
\r
30 To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
\r
31 Subject: Re: privacy problem: text/html parts pull in network resources
\r
32 Message-ID: <20150121211407.GK22599@csail.mit.edu>
\r
33 References: <87ppa7q25w.fsf@alice.fifthhorseman.net>
\r
35 Content-Type: text/plain; charset=us-ascii
\r
36 Content-Disposition: inline
\r
37 In-Reply-To: <87ppa7q25w.fsf@alice.fifthhorseman.net>
\r
38 User-Agent: Mutt/1.5.23 (2014-03-12)
\r
39 Cc: notmuch mailing list <notmuch@notmuchmail.org>
\r
40 X-BeenThere: notmuch@notmuchmail.org
\r
41 X-Mailman-Version: 2.1.13
\r
43 List-Id: "Use and development of the notmuch mail system."
\r
44 <notmuch.notmuchmail.org>
\r
45 List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,
\r
46 <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
\r
47 List-Archive: <http://notmuchmail.org/pipermail/notmuch>
\r
48 List-Post: <mailto:notmuch@notmuchmail.org>
\r
49 List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
\r
50 List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,
\r
51 <mailto:notmuch-request@notmuchmail.org?subject=subscribe>
\r
52 X-List-Received-Date: Wed, 21 Jan 2015 21:14:15 -0000
\r
54 I have a fix for this on shr buried deep in an old patch series that I
\r
55 never got back to: id:1398105468-14317-12-git-send-email-amdragon@mit.edu
\r
57 For shr, the key is to set shr-blocked-images to ".". However, IIRC,
\r
58 in the current notmuch message rendering pipeline, mm overrides this
\r
59 variable with something computed from gnus-blocked-images. That said,
\r
60 I'm not sure why gnus-blocked-images isn't *already* taking care of
\r
61 this, but that's probably the place to start digging.
\r
63 Quoth Daniel Kahn Gillmor on Jan 21 at 4:00 pm:
\r
64 > If i send a message with a text/html part (either it's only text/html,
\r
65 > or all parts are rendered, or it's multipart/alternative with only a
\r
66 > text/html subpart) and that HTML has <img
\r
67 > src="http://example.org/test.png"/> in it, then notmuch will make a
\r
68 > network request for that image.
\r
70 > This is a privacy disaster, because it enables an e-mail sender to use
\r
71 > "web bugs" to tell when a given notmuch user has opened their e-mail.
\r
73 > It's also a bit of a consistency/storage/indexing disaster because it
\r
74 > means that what you see when you open a given message will change
\r
75 > depending on the network environment you're in when you open it.
\r
77 > It's also potentially a security problem because it means that anyone in
\r
78 > control of the remote server (or the network between you and the remote
\r
79 > server if the image isn't sourced over https) can feed arbitrary data
\r
80 > into whatever emacs image rendering library is being used. (granted,
\r
81 > this is not a unique problem because this can already be done by the
\r
82 > original message sender with a multipart/mixed message, but it's an
\r
83 > additional exposure of attack surface)
\r
85 > I just raised this on #notmuch, and i don't have the time or the
\r
86 > knowledge to look into it now, but i think the defaults here need to be
\r
87 > to avoid network access entirely unless the user explicitly requests it.
\r
93 > _______________________________________________
\r
94 > notmuch mailing list
\r
95 > notmuch@notmuchmail.org
\r
96 > http://notmuchmail.org/mailman/listinfo/notmuch
\r