[Top] [All Lists]

Re: [ietf-smtp] [Shutup] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)

2015-12-04 14:42:45
On Fri, Dec 04, 2015 at 02:48:43AM +0000, Ted Lemon wrote:
There are some ways of fixing this without involving the MUA.   E.g.,
if a user gets email with links to images, rewrite all of the links to
point to a proxy that has a mapping between each rewritten link and the
original; if the MUA fetches against that link, proxy it.   This protects
the end user's IP address without requiring that they install a new
MUA, and should be the default behavior of every mail system (but I
suspect isn't the default behavior of any, although I heard Google was
contemplating doing something like this).

This doesn't adequately protect privacy.  For example:

1. Such links are often customized on a per-user per-message basis
with unique URLs.  Thus *any* hit on that URL from anywhere must
have come from that user [1] and via that particular message.
It may not disclose their IP address but it *does* disclose that
they read the message and when.  This is bad.

2. Proxying means proxy means proxy log means yet another place where
sensitive information accumulates.  I.e., I don't think it's a good idea
to attempt to fix this issue by MITM'ing connections.

3. How do you rewrite a link over an encrypted connection?

I'm not arguing that there isn't a massive privacy problem here.
There is, and I think it's far more worrisome than IP addresses
in Received lines, because it discloses far more information *and it
does so in real time*.  I just don't think solving it will be this easy.


[1] Or someone they forwarded it to, and this is arguably worse.

ietf-smtp mailing list

<Prev in Thread] Current Thread [Next in Thread>