Cookies are Security Hole in HTML Email 152
Richard Smith
just keeps uncovering security holes. Today it's the
Email Cookie Leak.
By reading mail, you unknowingly register your email address in someone's database, and accept their cookie. Next time you browse their site, or a site they have banner ads or other GIFs on, you are essentially broadcasting your email address while you surf. As Smith points out, just wait until
banner-ad companies
start taking advantage of this. I repeat the suggestion I made in October: browsers (and all clients that speak HTTP) should reject cookies not sent with the page.
Yet another reason not to use HTML email (Score:1)
Yes... (Score:2)
Yes. I was also surprised when I realized that Java and JavaScript are automatically set to be useable in email as the default under Netscape mail... I turned that off promptly. Java execution in Netscape 4.7 seems to core an awful lot... which is really annoying.
In any case, I run everything through my junkbuster proxy, which makes me feel happy and secure... I recommend junkbuster to anyone and everyone who values their privacy and hates banner advertisements... especially the ones on slashdot. ;)
Okay, this could suck, but I'm not worrying (Score:1)
If the e-mail was sent as a response to registering for software, or perhaps subscribing to some advertising-paid mailing list, then I suppose that would be legal. Even then, though, what good would linking the cookie to their e-mail address do but to promote more spam?
There's no way anyone could economically prosper off of this bug, and if they do, it's illegal because of the spam factor, and won't appeal to reputable companies, who the advertising companies are targeting for money. Microsoft and Netscape should probably get this hole looked at, though, just in case something destructive could come from it.
Well, not something too suprising. (Score:1)
Browsers do warn you about sending information. Should they also warn about opening Emails? Perhaps a browser should check the email for cookies before opening. If it finds one, then it could warn you that this could be a security risk.
Lets hope to god that those banner companies don't get in on this. They probably will, unless the Better Business Bureau or the Department of Commerce does something (if they even can) We can always hope. (or start writing to them)
-Chompster
Unexpected Kernel Trap at 101010
Don't Panic!
HTML Email (Score:1)
I have been using plain text email for years and I see no reason to switch to HTML Email. I have outlook to send HTML Mail automatically, unless I'm replying to someone who sent mail to me in plain text. This way, basically all I'm using HTML Email for is to tell how sophificated the software of the reciepent/sender is
Isn't this a little late? (Score:1)
Anybody here work for one of the ad companies and know if the banners collect cookies?
-*-*-*- I'm a little segfault short and stout
this is my handle, this is my spout!
Re:HTML Email (Score:1)
HTML mail ! for me (Score:3)
Anyhow, the point is that reading mail with special effects is proving to be more costly then its worth to those of us who value our privacy, and the general security of our email.
Though - ANSI bombs are possible in mailx
include "^[[10;1999]^[[11;1999]^G^[[12;1]^[[2J^[[1;1H^[[3
Don't^H^H^H^H try this at home!
The perfect solution (Score:1)
Erik
Bye bye banners!!! (Score:1)
I think if the banner ad folks want to stay in business, they stay away from cookies. Otherwize it's a quick one way trip to bankruptcy.
---
Another non-functioning site was "uncertainty.microsoft.com." The purpose of that site was not known. -- MSNBC 10-26-1999 on MS crack
Nothing new (Score:2)
First of all, note that there is nothing "groundbreaking" in this discovery. All this happens only if you are unlucky enough to have your email address in the hands of spammers, which is already as bad as it gets.
What can you do to prevent such abuse? Several things: Turn off HTML enabling for your email clients (you may or may not have a choice depending on the client). Restrict (or disallow) cookies in your web browser. Use something like Junk Buster [junkbuster.com].
Sreeram.
From the article (Score:4)
Connection: Keep-Alive
User-Agent: Mozilla/4.7 [en] (Win98; I)
Host: www.mybannerads.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
Cookie: id=c643640a
Both the Email address and cookie value is included in the Outlook and Messenger GET requests. When the GET request is processed by the MyBannerAds server. It first extracts the customer id number from the cookie and looks it up its database of "anonymous" profiles of Web surfers. Once it has located the profile, it then extracts the Email address from the URL query string, turning a once "anonymous" profile into an "identified" profile.
So where does MyBannerAds get the Email addresses in first place to send out a message which includes the SYNC.GIF file? The answer is quite simple, they "rent" the Email addresses. Or more specifically, the rent space in junk Email messages that are already being sent out. The IMG tags typically take less than 100 bytes, so they can easily be embedded in messages that are part of any Email ad campaign that is using HTML Email messages. /privacy/wbfaq.htm [tiac.net]
Another interesting discusion about HTML Email and cookies can be found @: http://www.tiac.net/users/smiths
Re:More than one cookie file? (Score:2)
More reason to go to an open source browser.
Also, it would be nice to be able to hack your browser to support cookies only from authorized sites. That way you could enable them for your
> Anybody got a decent URL for cleaning out the cookie jar?
I haven't checked lately, but the GTK+ Application Repository [unc.edu] used to have a cookie editor. It was submitted quite a while back, so you may have to hack it a bit to make it work with the more recent GTK libraries.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
No, I don't (Score:2)
HTML, not HTTP (Score:5)
In this case, browsers simply need to be setup to function as individual components. The web browser should not have access to the same mechanisms as an e-mail client. HTML e-mail is different from loading a web page and should be treated as such. Cookies are not a part of HTML; they are a part of HTTP! The browsers shouldn't confuse the two. This isn't a problem with the implementations of cookies, this is a problem with the implementation of HTML e-mail and the web browser.
And the idea that loading cookies from only that page is ludicrous. The whole idea is to be able to give an entire site access to information so that you can do things on different pages with similar information without having to repeatedly ask for that information. There's nothing in the HTTP specification that makes this harmful. Someone simply didn't implement the specification properly so now clients can share cookie files, leading to a possible hidden exchange of data between them.
Re:HTML Email... You're at risk (Score:1)
If you read the article, you'll find that you're still at risk with Outlook in 'Restricted Sites' Zone.
YOu mean... (Score:1)
-Chris
Re:Okay, this could suck, but I'm not worrying (Score:2)
Re:The perfect solution (Score:1)
Bad Command Or File Name
Re:Okay, this could suck, but I'm not worrying (Score:2)
1. Rent space on a mailing list where advertising is already sent out. Embed invisible GIFs in the email.
2. Get into the email servicing business or acquire an email servicing company.
Even then, though, what good would linking the cookie to their e-mail address do but to promote more spam?
From the company's point of view, it allows them to build better user profiles. e.g. several companies could get together and combine their databases (based on the email addresses that they now have) to build a profile of you the user.
won't appeal to reputable companies, who the advertising companies are targeting for money.
Think RealJukebox.
The Solution (Score:1)
So.. when someone spams you.. fine.. they spammed you. Your email software simply finds out the valid URLs for the cookie, and blocks them. Who wants to give business to spammers anyway?
Also.. on another note, this makes it hard for the spammer to hide, like they do these days.. using temporary accounts, etc....
They would be eaten alive and sued like mad.
Re:The perfect solution (missed trhe point) (Score:2)
The point is, when they spam you, they add your email address in the message on their end. Sending an email to journey@jps.net? Your image callout would be "foo.gif?journey@jps.net". It won't matter if your browser thinks you're president@whitehouse.gov.
Added fun: if you receive mail at multiple addresses, they can relate all those email addresses to the same cookie set. Including emails you might receive through anonymizing systems, e.g. they'd know that "862139@anon.penet.fi"[1] was the same user as "journey@jps.net".
-Peter
[1] RIP
Re:More than one cookie file? (Score:1)
Re:HTML, not HTTP (Score:1)
Why are security holes even part of YRO? There should be a separate slashdot security section setup. (sorry!)
Rejecting cookies automatically (Score:2)
1. cd ~/.netscape
2. rm cookies
3. touch cookies
4. chmod a-w cookies
Makes a very good point! (Score:1)
Very good point.
It's not the HTML that's the problem, it's the access to HTTP that is.
Another reason to make sure you're secure! (Score:1)
Securing a server against HTML mail would spark outrage and nice letters from lawyers of course but on my own server.... worth looking into methinks (more a case of hatred towards HTML mail than paranoia). An "Ask Slashdot" in the making? Perhaps.
Suggestion to the people who develop e-mail clients (hello Washington University in my case) - can we have some sort of filter that just says "it's HTML mail, good bye *zap!*"
Enough rambling from me... 3 posts today, I'm beginning to feel like a bus company...
*bounces off merrily*
Re:HTML Email... You're at risk (Score:2)
I send all my spam to spamrecycle@chooseyourmail.com [mailto]; which is inherently a huge mistake, but I hope they're doing something constructive with the info...
Re:this week's "useless use of cat award" goes to (Score:2)
when you use less
Security Risk... (Score:1)
Re:Rejecting cookies automatically (Score:1)
Go to your Netscape User Profile folder,
Delete the MagicCookie file.
Make a new folder, call it MagicCookie.
Badda-Boom, Badda-Bing.
Pope
Re:HTML, not HTTP - what about images? (Score:1)
Philip Greenspun, da man of open-source cool-ass online communities says, in an absolutely brilliant chapter [photo.net] on user tracking:
-Stephen van Egmond svanegmond@home.comQuestion: Usenet as well? (Score:1)
Obviously they wouldn't be able to get your email address, but take the situation where while surfing you're given a non-unique cookie which contains a unique number inside it (possibly from a banner ad on the page). In the usenet groups is a message which contains the hidden gif that requests the contents of this cookie. Your unique number goes back to the company, the company matches that up with their database, and voila, instant profile of not only your web-browsing habits, your e-mail address, but your newsgroup access as well.
Kwil
Filter out HTML tags in incomming mail? (Score:1)
On a side note, I've had great luck using grep to filter out cookies after Netscape exits. (Needed for people that refuse to use a proxy like Junkbuster.)
Here's my (quick and dirty) cookie filter;
mv cookies cookies.old
cat cookies.old | grep -v doubleclick.com > cookies
It's easy to add on new sites, but I'm looking into using the Junkbuster lists to perform the same tasks.
The same basic script could be used to strip out all lines with HTML pointing to a banner add - even if no other HTML is removed.
Re:HTML Email (Score:1)
Easy solution (Score:1)
Who needs bold when you have CAPS?
Who needs italics when you have
Who needs underline when you have _underscore_?
Personally, if I get HTML formatted email from someone I don't know I trash it immediately. If someone is dumb enough to use that garbage for email then I wont read it.
My email client of choice is Mailsmith [barebones.com] (sorry, Mac only). It is the most comprehensive client I have found... and it doesn't have any bloat on it like HTML email (THANK GOODNESS). It also lets you do queries (grep if you want to) of your email database. Also has other cool things like text manipulation, assignable key commands, and full AppleScript integration that other mail clients don't have. All this, and Bare Bones Software has the best customer support in the world.
Beats the hell out of Microsoft Outlook Express that most of my friends use. Blech!
Too bad Apple killed Claris Emailer, it was kinda cool too.
Pine is still my favorite command-line email program. No need to worry about HTML email with that one either
Ben
Re:More than one cookie file? (Score:2)
Basicly, you just need to create a .cookies.allow file in your home directory containing the names of hosts (e.g. slashdot.org) for which cookies are ok. Cookies from anywhere else gets deleted each time the program is run. Makes it nice and easy to automate, since you don't have to go in and manually delete nasty cookies.
If you have any questions about setting it up, email me.
The underlying problem... (Score:2)
... is that email was designed with plaintext in view. If you want HTML, please go to a Website. Email has never been designed to be some lame, contorted "sub-Website" that runs on HTML!!!! The problem is that people have this bells-and-whistles mentality: "Oh, it will be so cool if my email has HTML formatting! Oh, it will be so cool if my email can contain inline images! Oh it will be so cool if my email can contain JavaScript animations! Oh it will be so cool if my email can run cool programs on my computer automagically! Oh it will be so NOT cool when my email can format my hard drive!"
Email with HTML is just disgusting. Especially the way it's currently done by the lame mailers that allow it: a plaintext version in the body of the email, plus an *attachment* with the HTML-ized version of the plaintext. Or worse with this annoying featurism trend, you have MS-TNEF attachments containing who knows what. I mean, WTF?!?! Talk about bloat. No wonder network bandwidth is always so congested. What's the f***ing problem with plaintext email anyways?!
Those people who really want this kind of sick featurism should seriously consider designing a NEW protocol, NOT EMAIL, that transports this kind of crap. And I think I know what that is, too. Automatically send a ZIP file containing HTML, GIFs, JavaScript, the whole ball of crap, and the User Agent on the other end automatically decompress the ZIP, run the browser to view it.
Alright, enough of this rant. But I just can't emphasize enough that featurism always leads to crappy implementations which in turn introduces all kinds of problems, like security holes, because the original protocol was never designed to support this kinds of "features".
Re:Well, not something too suprising. (Score:2)
Re:HTML, not HTTP (Score:2)
Cookies may only be sent to the machine that created them, and even then only when a client initiates a connection with that machine. The problem is that loading one HTML page usually involves a number of http connections, which may or may not all be going to the same machine, and which the user (usually) has no control over. (That's why, for example, most users involuntarily visit ads.doubleclick.net several times a day.)
So the solution to most of these problems is to allow the browser to accept cookies only from the site that the user is actually visiting, or the "page". A few browsers have had a setting that did just that... I think the Mac version of IE 3.0 did, for example. But it's not around much anymore, which is a shame. (Although in recent versions of IE, you can always manually put suspicious sites in your "Restricted" list, and set the browser to refuse cookies from those sites.)
Re:No, I don't (Score:2)
Re:Well, not something too suprising. (Score:1)
-Chompster
Unexpected Kernel Trap at 101010
Don't Panic!
HTML Mail (Score:1)
---
pb Reply or e-mail rather than vaguely moderate [152.7.41.11].
Accessible cookie info would be the best solution (Score:2)
But, if this worked, I could allow cookies to be initially accepted, which is far more convenient than clicking on half a dozen yes/no boxes every time I want to log in to a web site. Since I'd be able to see when cookies appear and where they originate from, I could also catch the troublemakers as they appear and just delete them on the spot.
Would it be possible to write a program to do this (Windoze or Linux)? I know that the cookie file, despite the warning that it shouldn't be edited, is a pretty simple text file with one line per cookie, and it's not too hard to sift out some obvious offenders after you're done browsing. I don't suppose it's that easy to modify cookies while you're actually browsing stuff though. Having notice of this info while browsing would be far more convenient though, and would save you the trouble of figuring out where a cookie came from that just has an IP address for its origin. (Not that that's terribly difficult, but its just a bit more of a bother.) If a web browser could be made with this feature built-in, it shouldn't be a problem at all to code and I would be eternally grateful (hint hint Mozilla!).
Re:Rejecting cookies automatically (Score:1)
Better yet:
Open the cookie file in BBEdit, delete all cookies except for those from sites that you trust which store auto-login info in a cookie.
Save and lock the file.
Turn off images. (Score:1)
Re:HTML Email (Score:1)
Cookie Blocker and Cookie editor (Score:1)
I also edit my cookies file every so often, and delete all those nasty banner cookies.
Re:Question: Usenet as well? (Score:1)
Since a large fraction of the spam on Usenet is porn anyway, having visible pictures doesn't surprise people.
Re:Okay, this could suck, but I'm not worrying (Score:1)
-------------------------------
Use SillyMailService(tm)!
http://www.sillymail.com/
Which would look very odd to most people, and not effectively track anybody. And I hope there is no service called SillyMail.
Re:Okay, this could suck, but I'm not worrying (Score:1)
-------------------------------
Use SillyMailService(tm)!
http://www.sillymail.com/
<IMG SRC="http://www.sillymail.com/trackme.cgi?jrl@sit
Which would look very odd to most people, and not effectively track anybody. And I hope there is no service called SillyMail. [Sorry, /. converted my < into an < on preview then removed it on submit the first time.]
Re:HTML Email (Score:1)
It doesn't matter (Score:2)
Check this scenario:
So now, any time (unless you clean your cookies or whatever) that you visit me.com you will send a cookie to my server and my server will know that you are you@you.com
See... I don't know why this is a big deal. It is actually pretty easy to implement.
Newsflash: (Score:2)
This cookies thing is just a drop in the bucket. If you still use HTML enabled email, you're asking for someone to drop you a bomb. If you really like a Microsoft mail client and you want to continue to be able to see HTML mail, make sure you put it in restricted zone! (it's in options) This won't totally protect you, unless you have "Internet Zone" security as high as it goes, because all it takes is for someone to drop an iframe in the email source (yes it's totally possible), and that iframe is a pointer to a page that whams you.
Re:Yes... (Score:3)
Go to freshmeat [freshmeat.net] and type in 'junkbuster'. :)
It's a personal filtering proxy that has the primary focus of replacing ad banners with a clear 1 square pixel gif image... it, however, has the added bonus of replacing your browser ID tag with something you specify (ie, you're a large corporation that has microsoft users inside, but externally, it looks like everyone is running netscape- great for image) as well as blocking cookies entirely from anyone you don't trust. Very cool software.
It has a windows port, a linux/unix port, and a MacOS port, and, if you just want to try it out, I believe there is a trial proxy server that you just specify in your netscape prefs.... last I checked it was purposely speed limited so that you would just install your own.
Best of all, it's free.
What's the big deal? Use pine! (Score:1)
Or, if you're a serious masochist, you can even use Emacs to read your email
Re:Yes... (Score:1)
I publicized the problem over _two years ago_ (Score:1)
Here is a mainstream press article on it from then - http://www.idg.net/crd_sites_9-46489.html [idg.net].
At the time both NS and MS said they would fix it. I guess they didn't...
Benjamin Franz
Re:Yes... (Score:1)
Alex Bischoff
---
Privacy, not security (Score:3)
People being able to acquire personal information and monitor your browsing habits without you knowing it doesn't increase the risk of them stealing your important files or sabotaging your network, it simply allows companies to violate Your Rights Online.
Re:The underlying problem... (Score:1)
Alternatively, is there any way to connect Eudora to an "e-mail proxy" to get the same functionality?
Alex Bischoff
---
Counter-spam anyone? (Score:2)
On finding one, it should issue somewhere more than ten GETs (a hundred or more would be nice if you've got the bandwidth, we're talking about HTTP GETs here, not mailings) to that site, each time with a different cookie value, none of them the one that was sent.
If enough of us do this, the pool should be poisoned nicely. When they get wise to it, we'll have to advance to cronning the additional GETs.
We might also add it into a signature-file generator for any outgoing HTML mail, especially replies.
Maybe we can't help tying a ribbon around the tree with the pot of gold at the bottom of it, but we can tie a ribbon to every other tree as well.
Re:HTML, not HTTP - what about images? (Score:1)
Yes, it's fairly innocent, and cookies have been given a bad rap...
The issue at hand is:
1) I can send out tons of spam that uses this 'feature' to place a cookie on everyone's machine. I can also ensure that this 'cookie' contains their email address, because I *know* their email address.
2) Now, whenever this person visits my site, it sends me their email address.
It's an underhanded way of making sure that you *do* get the email addresses of visitors to your site. Yes, you could say you already have them.. but now you know when that particular person visits your site, and it's that much easier to track them down.
As for saying that HTML can generate HTTP hits.. no.. that is patently false.
HTML specifies the markup language, not the mechanism used to fetch objects. WHat the previous post said was that you can have HTML without HTTP, and he's entirely correct. What about pages that are on your HD? They dont' use *any* http to mark up a page with lots of graphics...
So what he's saying is that the security model of the html renderer for the mua should not permit access to HTTP facilities. IF there are embedded images, they should be contained as attachments, and referenced as such.
Re:The underlying problem... (Score:1)
Re:More than one cookie file? (Score:1)
Each cookie is a line, starting with the domain. I edit it occasionally and delete entire lines. Works great for me.
As far as disabling cookies (not just removing them occasionally), is that some pages require cookies to work, which is bad design in my opinion. In most cases. Sometimes you need cookies; eg. slashdot.
Re:Accessible cookie info would be the best soluti (Score:2)
Re:Accessible cookie info would be the best soluti (Score:1)
It kind of brings up an interesting idea though. Banner adverts fund sites right? So what if ISPs, perhaps an especially "popular" one like AOL decided to start intercepting the requests for the banner ads and substituted their own? (Apparently there are already "in-line" caches out there that are invisible to the client.) What would be the legal ramifications? Rich
Re:Easy solution (Score:1)
Personally I find HTML email to be stupid for the most part, but part of the problem is how heavily the HTML clients try to push you to use it, just like with proprietary tags in browsers. They know the more HTML crap you get in the mail, the more you'll feel you're missing something by not using their stupid client. Most people who send HTML mail don't even realize they're doing it. And a lot don't realize that not everyone sees it the way they do. The biggest annoyance for me is when I'm just reading my mail in mailx (I don't do it that often anymore, just when I'm in a hurry or not near my mail client- IMAP is nice enough to keep my mail still readable in the shell) and there's all that HTML crap sitting there in the message. Sadly, I get a lot of legit HTML mail from people commenting on my websites (and the people at work who don't know better) so I can't just delete it all.
Seems to me the best way to support HTML in mail is not to support the whole darn thing (after all, this is mail, not a browser) but to support an appropriate XML language which is a subset of it which is useful for mail, and possibly use some special tags which could be special for mail (for followups, quoting and stuff). Actually I remember seeing a proposal about this on the W3C site, but I can't recall the name or find it on their site now.
Seems like this problem could be a danger in any mail client which stores browser cookies, and probably would not require Javascript (wouldn't loading an ad image on a page get that cookie there as well?)
Q: are such img tags caught by spam filters? (Score:1)
Yeah, way too late. (Score:1)
This reporting and investigating things that have already occurred really doesn't suit the information age. What possible benefit is there to bringing up current abuses and malfeasence? There is far too much malfeasence yet to come that we need to hastily and fretfully anticipate!
email must be read in browser that you surf with? (Score:1)
Its not just that an email client can parse html that will result in a future website visit reveal cookie info sent via email, but the browser Im surfing with has to be the same browser i read the email with? So my browser shouldnt know what Eudora (which does not launch a browser but just *parses* the email) knows.
Deja is tracking email (Score:2)
Deja is basically tracking your creation of an email response to an article on their site.
According to the article:
"Deja News could also record -- and log -- the use of the link, the IP address of the sender, and the addressee's email [address]."
The ACLU has some rather pithy comments on Deja's practices in this area, including the possibility that Deja is in violation of the Electronics Communications Privacy Act by intercepting these transactions.
Not to worry though, Deja is a member of TrustE.
/. is running behind time .. (Score:2)
Do you remember the discussion about CEO of Novell and his apparent stolen credit card numbers ?? Well I had posted this story as reply number 37 [slashdot.org]. Furthermore an AC had actually replied with the same link as used in this story.No moderator seems to have found it fit to give any extra points. But now, a whole new discussion with 90 replies seem to have started.
Hm.. A failure of
We need a REJECT button. (Score:2)
I think it would be a BITCHIN spam killer...
Cobratek
Re:/. is running behind time .. (Score:1)
Get Freedom (Score:2)
product is not out yet, it's in beta testing stage. It supports you having multiple anonymous
pseudonyms, works at the IP layer (I think) and filters all identifying information that it can find from your packets and ties them in with the pseudonym you select. Cookies go into separate cookie jars for each pseudonym. Quite cool.
I have a beta evaluation copy: haven't used
it too much, though it does slow down surfing a bit over a 56K modem connection.
Yumpee
Nothing is free (Score:1)
I have Eudora as my mail client and so far have not a cookie problem. If you are concerned about this problem, get a e-mail client other than outlook. Problem is that you will have spend money. This will not work with your free e-mail services like hotmail or yahoo and there kind.
You get what you pays for!
Re:Yes... (Score:1)
For example, several months ago TurboTax sent email announcing their newest update. The email included HTML which told TurboTax when you read the mail [tbtf.com]. It was just a retrieval of an image with a certain code to identify who they sent the mail to.
Re:More than one cookie file? (Score:1)
Actually, you can do this with IE5. Which is not an implicit endorsement of the product, but it IS a nice feature. (Of course, Lynx also has this feature).
Re:CookiePal (Score:1)
Sounds like this is probably the best option possible, until a web browser actually offers the features I described built-in. I'll have to actually drop hints to the Mozilla team. ;)
Re:HTML, not HTTP (Score:2)
Netscape on Windows has an option in the same place called "Only accept cookies that are sent to originating server" -- I don't know if this means don't accept
On Linux, using netscape, I haven't seen a cookie from doubleclick in over a year (I prune my cookie file regularly as well)
Safe enough? (Score:1)
Re:How do I solve the REAL problem though? (Score:1)
Depending on how your admin has things set up,
you might be able to point an IMAP client
against your exchange server
Yet another reason to use pine (Score:1)
Re:It doesn't matter (Score:1)
So.. now, without *asking* you for your email information, they have caused your browser to inform them of your email address every time they visit a site with a doubleclick ad.
Now, you say, they already had your email address.. yes, that is true. But they did *not* have a way to tie it into who was visiting what site when...
Misunderstanding (Score:1)
Re:Deja is tracking email (Score:1)
Can anyone suggest an alternative engine for usenet searches?
Re:Get Freedom (Score:1)
Re:HTML Email (Score:1)
Moral: MS users - make sure to customize your security settings.
--
Proves the Address is Valid (Score:3)
No longer will they have to rely on people following their "unsubscribe" instructions; merely reading the email will be enough to confirm that there is someone/something on the other end of the address they bought/harvested. They can then add the address to their list of confirmed active accounts - a pretty valuable thing to have, especially if you're in the business of selling addresses...
Tim
Re:HTML, not HTTP (Score:2)
But, in the thirty seconds it took me to read your message I thought of another way to do it that would catch a lot of people.
Include an image in the page, the URL of which contains a different ID for each person the email was sent to, but which returns the same picture.
The website records IPs and then if it gets a cookie set by one of the banner sites in some period of time it assumes it's the same person.
My solution would be that email have to include all the secondary files (images, etc) as attachments and load the local copies. So, unless the user clicks on a link (which would be passed to the webbrowser window) nothing external needs to be loaded.
I'd also recommend to anyone writing a browser that they not let any pluggins load from a page received in email without the user clicking a link.
Not loading cookies from anywhere except the domain in the location bar seems to be a good idea. (Otherwise all it takes even with a 'only load cookies from the open page' setting would be to open an invisible frame and load something in it.
A special place in hell... (Score:2)
"There is a special place in hell reserved for people who use html email."
(Sorry, I can't remember who it was, but I believe it was a
My sentiment exactly. I read everything in a shell with pine. Ain't no cookies going anywhere there... unless I missed something? Of course thats the personal mail. At work, I'm forced to use Outlook, but I am behind a firewall.
Email is text... and maybe attached files. It you want to imply bold, * * it.
No damn font changes, inline pics, none of that crap, that's why it's 7 bit.
The purpose of email is to convey information. Text does that just fine for me. If you send me html formatted messages, pine can't read them, I'm not going to go to the trouble to save and view them, and you have failed to convey your message... so sorry. Now I find out that it's a nice security benefit as well. I always knew I was on the right track.
It's sorta like web pages that are all filled up with Java and the like, I can't see them in lynx, so I can't get your content. Again, sorry, but you have lost a visitor.
Russ
Re:Rejecting cookies automatically (Score:2)
--
Re:Okay, this could suck, but I'm not worrying (Score:1)
No. Don't embed the invisible GIF itself, but rather an IMG tag that points to an invisible GIF hosted somewhere on the Net. Tack on extra tracking information to the GIF's URL if desired, which later can be parsed on the server side.
Embedding the GIF itself in the e-mail message wouldn't do anything useful.
Re:Possible solution (Score:2)
I thought everyone had equal chance of getting their stories posted. Am I mistaken ??
Alternatives to cookies? (Score:2)
What are the viable alternatives to cookies, at least for some applications? Are there any good web resources that discuss this kind of thing and offer means of avoiding cookie-based solutions?
Re:Possible solution (Score:2)
Important Security Probs Should Be on Weekdays (Score:2)
If you break a story on a major security hole that most people don't know about on a weekend, most people are still not going to know about it.
I realize that this is not your intent, but, keep in mind that this is one of the oldest tricks in the book at newspapers like the New York Times [nytimes.com]. When there's an unfavorable story about the Clinton Administration, quite often the Times waits until Saturday, when no one is reading the paper, to break it.
You got 150 posts on this topic, but, I suggest you would have gotten a lot more on Monday. More importantly, lots more people would have assessed their exposure to the potential risks.
--
Dave Aiello
Re:It doesn't matter (Score:2)
>email address. If it checks your email, the hole
>is there.
It would need to know the email in some way to retrieve it, wouldn't it?
>I send HTML email to you@you.com with an image at
>the URL http://me.com/emailtrack/4321
Ack. I'm intolerant of mime, let alone HTML. you send me HTML, I tell you to go away. And I certainly wouldn't use a client that would automatically open something . . .
>My server says "oh,
>you@you.com so now I'll put a cookie on that
>machine that relates to you@you.com
mmm, cookies. Junkbuster is hungry. There are exactly three sites allowed to set cookies . . .
Re:HTML, not HTTP - what about images? (Score:2)
As far as I'm concerned, access to HTTP services from within an e-mail message should be a settable option. If you need access to images in an e-mail, attach them like normal file attachments and reference them with <a href="file://attachment1.gif">. If HTTP must be used, put each e-mail message in its own "sand box" so that state information (such as a cookie) is never shared between e-mail messages or between e-mail messages and web sites as browsed through a typical browser.