privacy problem: text/html parts pull in network resources

Subject: privacy problem: text/html parts pull in network resources

Date: Wed, 21 Jan 2015 16:00:59 -0500

To: notmuch mailing list

Cc:

From: Daniel Kahn Gillmor


If i send a message with a text/html part (either it's only text/html,
or all parts are rendered, or it's multipart/alternative with only a
text/html subpart) and that HTML has <img
src="http://example.org/test.png"/> in it, then notmuch will make a
network request for that image.

This is a privacy disaster, because it enables an e-mail sender to use
"web bugs" to tell when a given notmuch user has opened their e-mail.

It's also a bit of a consistency/storage/indexing disaster because it
means that what you see when you open a given message will change
depending on the network environment you're in when you open it.

It's also potentially a security problem because it means that anyone in
control of the remote server (or the network between you and the remote
server if the image isn't sourced over https) can feed arbitrary data
into whatever emacs image rendering library is being used.  (granted,
this is not a unique problem because this can already be done by the
original message sender with a multipart/mixed message, but it's an
additional exposure of attack surface)

I just raised this on #notmuch, and i don't have the time or the
knowledge to look into it now, but i think the defaults here need to be
to avoid network access entirely unless the user explicitly requests it.

   --dkg
signature.asc (application/pgp-signature)

Thread: