[Top] [All Lists]

Re: [ietf-smtp] [Shutup] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)

2015-11-30 09:51:16
On 30-11-15 02:02, Christian Huitema wrote:
> On Sunday, November 29, 2015 12:54 PM, Jim Fenton wrote:
>> There are users for whom their privacy is critically important, such
>> as press informants in totalitarian societies. There are many other
>> ways to determine their location (network monitoring coupled with
>> a STARTTLS downgrade attack, for one), and it would be harmful
>> (potentially life-threatening) if anyone thought that this would truly
>> protect them. They should be using something like SecureDrop and
>> not using email at all.
> Uh, No. This is the classic "the other side of the boat is leaking too"
> argument, coupled with a dollop of "no security is better than imperfect
> security." Yes, there are many ways for metadata to leak. But that does not
> mean that we should not plugs the leaks that we do know about.
> The discussion so far shows that one hand many people believe that we are
> disclosing too much metadata in mail headers, while many more believe that
> the metadata disclosure is actually useful to fight various forms of abuse,
> some of which may well compromise users' privacy.
> We also heard that some of the big providers have already unilaterally
> decided to suppress some of the metadata, like the first hop address.

Can anyone share some information about which providers made which decision?

I posted about this earlier on the perpass list in respose to the initial
discussion of the draft-josefsson-email-received-privacy draft. Here's an
updated version of that information:

Gmail:   Webmail does not disclose originating client IP, apparently using
        invalid Received: field to avoid doing so.
        Submit discloses originating IP.
Yahoo:   Neither webmail nor submit disclose originating IP, some Received:
        fields are invalid but this looks like an unrelated issue.
Outlook: Neither webmail nor submit disclose originating IP, valid Received:
AOL:     Both webmail and submit disclose originating client IP in both
        Received: fields and X-Originating-IP: (webmail) and X-AOL-IP:
        (submit) fields.
GMX:     Both webmail and submit disclose originating client IP.

Thanks John Levine for the AOL submit data.


ietf-smtp mailing list

<Prev in Thread] Current Thread [Next in Thread>