On Fri, Dec 04, 2015 at 02:48:43AM +0000, Ted Lemon wrote:
There are some ways of fixing this without involving the MUA. E.g.,
if a user gets email with links to images, rewrite all of the links to
point to a proxy that has a mapping between each rewritten link and the
original; if the MUA fetches against that link, proxy it. This protects
the end user's IP address without requiring that they install a new
MUA, and should be the default behavior of every mail system (but I
suspect isn't the default behavior of any, although I heard Google was
contemplating doing something like this).
This doesn't adequately protect privacy. For example:
1. Such links are often customized on a per-user per-message basis
with unique URLs. Thus *any* hit on that URL from anywhere must
have come from that user  and via that particular message.
It may not disclose their IP address but it *does* disclose that
they read the message and when. This is bad.
2. Proxying means proxy means proxy log means yet another place where
sensitive information accumulates. I.e., I don't think it's a good idea
to attempt to fix this issue by MITM'ing connections.
3. How do you rewrite a link over an encrypted connection?
I'm not arguing that there isn't a massive privacy problem here.
There is, and I think it's far more worrisome than IP addresses
in Received lines, because it discloses far more information *and it
does so in real time*. I just don't think solving it will be this easy.
 Or someone they forwarded it to, and this is arguably worse.
ietf-smtp mailing list