Re: [ietf-smtp] [Shutup] Proposed Charter for the "SMTP Headers Unhealth

Thursday, Dec 3, 2015 9:39 PM Robert A. Rosenberg wrote:
> If the message is HTML, then putting a 1x1 web-bug image in the HTML will 
> trigger the info UNLESS the user's MUA is set to NOT automatically retrieve 
> images.
That retrieving images is the default behavior of most MUAs, and that it is 
even possible to do without cryptographically validating the ID of the sender 
in _any_ MUA, is an example of what I am talking about when I say that UI 
design is vitally important to protecting users' privacy.

Obviously if you have an MUA that behaves so stupidly, then your privacy is 
forfeit.   At present, that's most MUAs.   This is something that I hope MUA 
implementors will wise up to, and we ought to be advising them to if we aren't 
already.

There are some ways of fixing this without involving the MUA.   E.g., if a user 
gets email with links to images, rewrite all of the links to point to a proxy 
that has a mapping between each rewritten link and the original; if the MUA 
fetches against that link, proxy it.   This protects the end user's IP address 
without requiring that they install a new MUA, and should be the default 
behavior of every mail system (but I suspect isn't the default behavior of any, 
although I heard Google was contemplating doing something like this).


--
Sent from Whiteout Mail - https://whiteout.io

My PGP key: https://keys.whiteout.io/mellon(_at_)fugue(_dot_)com

pgpJckzGVAQA3.pgp
Description: PGP signature

_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp