Return-Path: X-Original-To: notmuch@notmuchmail.org Delivered-To: notmuch@notmuchmail.org Received: from localhost (localhost [127.0.0.1]) by olra.theworths.org (Postfix) with ESMTP id 8B94E431FC9 for ; Wed, 21 Jan 2015 23:26:21 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at olra.theworths.org X-Spam-Flag: NO X-Spam-Score: 2.438 X-Spam-Level: ** X-Spam-Status: No, score=2.438 tagged_above=-999 required=5 tests=[DNS_FROM_AHBL_RHSBL=2.438] autolearn=disabled Received: from olra.theworths.org ([127.0.0.1]) by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ujX1dOUdWGHg for ; Wed, 21 Jan 2015 23:26:11 -0800 (PST) Received: from guru.guru-group.fi (guru.guru-group.fi [46.183.73.34]) by olra.theworths.org (Postfix) with ESMTP id 90975431FBC for ; Wed, 21 Jan 2015 23:26:09 -0800 (PST) Received: from guru.guru-group.fi (localhost [IPv6:::1]) by guru.guru-group.fi (Postfix) with ESMTP id E839E1000E0; Thu, 22 Jan 2015 09:25:39 +0200 (EET) From: Tomi Ollila To: Daniel Kahn Gillmor , notmuch mailing list Subject: Re: privacy problem: text/html parts pull in network resources In-Reply-To: <87ppa7q25w.fsf@alice.fifthhorseman.net> References: <87ppa7q25w.fsf@alice.fifthhorseman.net> User-Agent: Notmuch/0.19+29~g7367d27 (http://notmuchmail.org) Emacs/24.3.1 (x86_64-unknown-linux-gnu) X-Face: HhBM'cA~ MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2015 07:26:21 -0000 On Wed, Jan 21 2015, Daniel Kahn Gillmor wrote: > If i send a message with a text/html part (either it's only text/html, > or all parts are rendered, or it's multipart/alternative with only a > text/html subpart) and that HTML has src="http://example.org/test.png"/> in it, then notmuch will make a > network request for that image. I noticed the same a few days ago and first test to avoid that was (defun open-network-stream (&rest) nil) (but then I tried to send email and that failed ;/) next was M-x debug-on-entry RER open-network-stream RET ... but I don,t remember how to manipulate how that continues. Latest I've been thinking defadvice around open-network-stream which asks whether to proceed to it or just return nil. I'd like to have buffer-local defadvices... ;) .. but there one could probably store original open-network-stream location and then flet (or was it letf) it there... Anyway, if there is better, more robust alternative I am (also) very interested of it... Tomi > > This is a privacy disaster, because it enables an e-mail sender to use > "web bugs" to tell when a given notmuch user has opened their e-mail. > > It's also a bit of a consistency/storage/indexing disaster because it > means that what you see when you open a given message will change > depending on the network environment you're in when you open it. > > It's also potentially a security problem because it means that anyone in > control of the remote server (or the network between you and the remote > server if the image isn't sourced over https) can feed arbitrary data > into whatever emacs image rendering library is being used. (granted, > this is not a unique problem because this can already be done by the > original message sender with a multipart/mixed message, but it's an > additional exposure of attack surface) > > I just raised this on #notmuch, and i don't have the time or the > knowledge to look into it now, but i think the defaults here need to be > to avoid network access entirely unless the user explicitly requests it. > > --dkg > _______________________________________________ > notmuch mailing list > notmuch@notmuchmail.org > http://notmuchmail.org/mailman/listinfo/notmuch