privacy problem: text/html parts pull in network resources

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jan 21 13:00:59 PST 2015


If i send a message with a text/html part (either it's only text/html,
or all parts are rendered, or it's multipart/alternative with only a
text/html subpart) and that HTML has <img
src="http://example.org/test.png"/> in it, then notmuch will make a
network request for that image.

This is a privacy disaster, because it enables an e-mail sender to use
"web bugs" to tell when a given notmuch user has opened their e-mail.

It's also a bit of a consistency/storage/indexing disaster because it
means that what you see when you open a given message will change
depending on the network environment you're in when you open it.

It's also potentially a security problem because it means that anyone in
control of the remote server (or the network between you and the remote
server if the image isn't sourced over https) can feed arbitrary data
into whatever emacs image rendering library is being used.  (granted,
this is not a unique problem because this can already be done by the
original message sender with a multipart/mixed message, but it's an
additional exposure of attack surface)

I just raised this on #notmuch, and i don't have the time or the
knowledge to look into it now, but i think the defaults here need to be
to avoid network access entirely unless the user explicitly requests it.

   --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://notmuchmail.org/pipermail/notmuch/attachments/20150121/c8055905/attachment.pgp>


More information about the notmuch mailing list