privacy problem: text/html parts pull in network resources
Tomi Ollila
tomi.ollila at iki.fi
Wed Jan 21 23:25:39 PST 2015
On Wed, Jan 21 2015, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> If i send a message with a text/html part (either it's only text/html,
> or all parts are rendered, or it's multipart/alternative with only a
> text/html subpart) and that HTML has <img
> src="http://example.org/test.png"/> in it, then notmuch will make a
> network request for that image.
I noticed the same a few days ago and first test to avoid that was
(defun open-network-stream (&rest) nil)
(but then I tried to send email and that failed ;/)
next was M-x debug-on-entry RER open-network-stream RET
... but I don,t remember how to manipulate how that continues.
Latest I've been thinking defadvice around open-network-stream which
asks whether to proceed to it or just return nil.
I'd like to have buffer-local defadvices... ;) .. but there one could
probably store original open-network-stream location and then flet (or
was it letf) it there...
Anyway, if there is better, more robust alternative I am (also) very
interested of it...
Tomi
>
> This is a privacy disaster, because it enables an e-mail sender to use
> "web bugs" to tell when a given notmuch user has opened their e-mail.
>
> It's also a bit of a consistency/storage/indexing disaster because it
> means that what you see when you open a given message will change
> depending on the network environment you're in when you open it.
>
> It's also potentially a security problem because it means that anyone in
> control of the remote server (or the network between you and the remote
> server if the image isn't sourced over https) can feed arbitrary data
> into whatever emacs image rendering library is being used. (granted,
> this is not a unique problem because this can already be done by the
> original message sender with a multipart/mixed message, but it's an
> additional exposure of attack surface)
>
> I just raised this on #notmuch, and i don't have the time or the
> knowledge to look into it now, but i think the defaults here need to be
> to avoid network access entirely unless the user explicitly requests it.
>
> --dkg
> _______________________________________________
> notmuch mailing list
> notmuch at notmuchmail.org
> http://notmuchmail.org/mailman/listinfo/notmuch
More information about the notmuch
mailing list