On 30-11-15 02:02, Christian Huitema wrote:
> On Sunday, November 29, 2015 12:54 PM, Jim Fenton wrote:
>> There are users for whom their privacy is critically important, such
>> as press informants in totalitarian societies. There are many other
>> ways to determine their location (network monitoring coupled with
>> a STARTTLS downgrade attack, for one), and it would be harmful
>> (potentially life-threatening) if anyone thought that this would truly
>> protect them. They should be using something like SecureDrop and
>> not using email at all.
> Uh, No. This is the classic "the other side of the boat is leaking too"
> argument, coupled with a dollop of "no security is better than imperfect
> security." Yes, there are many ways for metadata to leak. But that does not
> mean that we should not plugs the leaks that we do know about.
> The discussion so far shows that one hand many people believe that we are
> disclosing too much metadata in mail headers, while many more believe that
> the metadata disclosure is actually useful to fight various forms of abuse,
> some of which may well compromise users' privacy.
> We also heard that some of the big providers have already unilaterally
> decided to suppress some of the metadata, like the first hop address.
Can anyone share some information about which providers made which decision?
I posted about this earlier on the perpass list in respose to the initial
discussion of the draft-josefsson-email-received-privacy draft. Here's an
updated version of that information:
Gmail: Webmail does not disclose originating client IP, apparently using
invalid Received: field to avoid doing so.
Submit discloses originating IP.
Yahoo: Neither webmail nor submit disclose originating IP, some Received:
fields are invalid but this looks like an unrelated issue.
Outlook: Neither webmail nor submit disclose originating IP, valid Received:
AOL: Both webmail and submit disclose originating client IP in both
Received: fields and X-Originating-IP: (webmail) and X-AOL-IP:
GMX: Both webmail and submit disclose originating client IP.
Thanks John Levine for the AOL submit data.
ietf-smtp mailing list