Educause Security Discussion mailing list archives
Re: E-mail Privacy
From: Brian Eckman <eckman () UMN EDU>
Date: Tue, 25 May 2004 15:26:13 -0500
Javier Torner wrote: <snip>
It works by inserting a single pixel gif image into the body of the message and is virtually undetectable by visual examination. The gif contains embedded code to, "phone home" on port 80 to cluster of servers at didtheyreadit.com. If you open a tagged email, you will not know a confirmation has been sent.
So some other company comes along and includes a 100x70 gif that is nice and pretty in their Email, which also "phones home" to the Web server that it downloaded the image from. Of course, that uses a lot more bandwidth, but most users wouldn't think anything of it. In fact, they might prefer the "pretty" Email message that results. In fact, I'd bet dollars to donuts the GIF in question doesn't have any "embedded code" that can be run by any Email client. If Email clients start running embedded code in GIF images, a lot of people are going to be in a world of hurt. The GIF is hosted on a remote Web site. When your Email client parses the HTML code in the Email and then makes the GET request to download the picture, your IP address and other info goes into the Web server logs automatically. There is no magic involved. (BTW, if your E-mail client does this for you, either fix it or ditch it.) <snip>
The Information Security Team at the State of Texas, Department of Information Resources was kind enough to research the product and recommend some solutions. There are several methods to deal with the problem. They can be used singly or in combination:
<list of five options snipped> But you are already configuring your E-mail clients either to: 1. Not display messages in HTML, but in text instead or 2. (using Netscape's wording here as an example) "Do not load remote images in Mail and Newsgroup messages" aren't you? :-) If not, you should start doing so in the very near future, say, three years ago. :-) Any respectible E-mail client will allow you to do one or both of the above options (and some less respectible clients like Outlook and Outlook Express even offer this functionality :-). If your E-mail client does not allow this, you should either upgrade it, replace it or complain immediately to the publisher of it. (Using option #2 above still displays HTML E-mail, and displays GIFs and the like that are included with the E-mail, so those people who simply *must* be able to read HTML E-mail in HTML format can still do so. It just won't download pictures from remote sites, preventing "Web bugs" from doing their dirty work.) <rant> I'm a bit disappointed that the "Information Security Team at the State of Texas" didn't mention the two options I present above. I'd argue they are the best two choices. </rant> Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- E-mail Privacy Javier Torner (May 25)
- <Possible follow-ups>
- Re: E-mail Privacy Herrera Reyna Omar (May 25)
- Re: E-mail Privacy H. Morrow Long (May 25)
- Re: E-mail Privacy H. Morrow Long (May 25)
- Re: E-mail Privacy Glenn Leavell (May 25)
- Re: E-mail Privacy Brian Eckman (May 25)
- Re: E-mail Privacy Gary Flynn (May 25)
- Re: E-mail Privacy Glenn Leavell (May 25)
- Re: E-mail Privacy Brian Eckman (May 25)
- Re: E-mail Privacy Dan Oachs (May 25)