Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This doesn't appear to support read receipt privacy, which is when the mail server caches tracking images on-delivery instead of on-read.

I shouldn't have to expose my email viewing habits just to get auto-displaying images in my email client.



That's an interesting idea.

I'd hesitate to implement it though, because of secondary risks. It would need to be thought through very carefully, and there are a whole bunch of abuse scenarios that would need to be avoided or mitigated.

As a rule, Mailpile does very little when it receives a mail - until the user has interacted with it, we have to assume the mail is junk and/or potentially hostile.

See the chapter on Oracles here: https://research.checkpoint.com/cryptographic-attacks-a-guid... - automatically triggering sender-controlled network access based on the contents of e-mail opens the door for such things.

This applies not only to cryptographic attacks, but also to more pedestrian exploitation of bugs in the app itself, or silly things like turning Mailpiles into DDoS attack robots.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: