HN Reader

Privacy feature that doesn't work is (arguably) worse than no privacy feature at all.

HTML mails continue to be a mistake

The linked WebKit bug report seems to have some activity from today, so I'm hopeful this will be fixed at the source: https://bugs.webkit.org/show_bug.cgi?id=259787

Does thunderbird protect against this tracking vector?

Evolution lets you default to the plain text version of an email, even if it contains an HTML version [0], so if you have that setting enabled (which I do, and strongly recommend), it should hopefully reduce the impact of this issue.

[0] Edit > Preferences > Mail Preferences > HTML Messages > HTML Mode = Show plain text if present

HTML as a mail format is a horrifying mess. What you want is a rich text format for displaying static text and maybe some images and links and stuff. What we got is the entirety of the modern web application development environment stuffed into our mail clients, with maybe 1/100th the attention to standards compliance and bug fixing that real browsers get, and a metric ton of "Oh Wait Not That" workarounds to plug the obvious security gaps inherent in the "run web apps from any attacker who has your email address" metaphor.

This is one of the big reasons why email has pretty much died for casual use. Even in work environments almost everyone uses chat clients these days.

> I suggested that maintaining a whitelist of allowed html tags and attributes, and stripping them before passing the email html onto a web browser would be a good defense in depth strategy

Are there any best in class HTML preprocessors that do this well? There are many use cases for displaying email content in e.g. CRM widgets where the underlying networking can’t be controlled. An iframe with a good CSP goes a long way, but as OP notes you want defense in depth!

I'm glad that he is raising the flag after the devs failed to take it seriously. Evolution is going to have to do PR damage control soon and talk about how they're changing things to avoid this in the future.

Oh, but gmail also reveals to tracking services (i.e. virtual deliverability manager from aws ses) that you opened an email even when you disabled loading images.

They're called allowlists now

> The sender can look at their DNS logs to see if you’ve read your email, and the IP address of your DNS resolver at that time, which may indicate your location. [..] An attacker could look at the SNI header during the TLS negotiation

I suppose, but AFAIK no one is really doing that. So in that sense it's a "if a tree falls in the forest, but no one is around to hear it"-type issue.

And the response seems reasonable by the way; they set the correct flag. WebkitGTK has a bug and it doesn't work. It's not great, but you can't expect people to fix everything, especially for fairly minor issues like this.