[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(crosspost) [IWAR] ANONYMITY HTML risk (fwd)
---------- Forwarded message ----------
>>From: <[email protected]>
---------- Forwarded message ----------
>From: 7Pillars Partners <[email protected]>
To: g2i list <[email protected]>, IWAR list <[email protected]>
Date: Thu, 26 Feb 1998 09:30:06 -0800 (PST)
Reply-To: [email protected]
Subject: [IWAR] ANONYMITY HTML risk
Two points: military personal should be particularly aware of this problem, and
users with needs for anonymity should be certain to check out the options
provided by the Anonymizer. --MW
Is Web-Based Mail Bad for Your Anonymity?
by Steve Silberman
5:03am 26.Feb.98.PST
It's the kind of scare story, posted from an
anonymous address, that makes the rounds of
computer security mailing lists and newsgroups.
This time, however, the scenario was so simple as
to be highly plausible.
The post - made last week to the Cypherpunks
mailing list - began ominously: "I just had my
online pseudonym outed to my company's VP of
marketing, with potentially serious internecine
political consequences."
The author explained that, like many people, he
maintains two separate email addresses: a work
account, and an alternate account on a remote
server at the local college. For the latter, the
author employs a pseudonym. This, he says,
allows him to speak his mind about political views,
as well as his disdain for his employer's use of
unsolicited bulk emailings - spam - without fear of
reprisal.
The author's cover was blown, he said, the day he
used Netscape Mail on his workstation to fetch a
message mailed by his company to his account
on the college server.
So where was the leak?
Like more and more email programs, Netscape
Messenger - along with Outlook Express, Eudora
4.0 and many free Web-based mail services such
as Hotmail - offers users the ability to send and
receive not only text messages, but fully-rendered
Web pages, in all their graphical glory. If a user
has both Eudora 4.0 and Internet Explorer, for
instance, Eudora will borrow IE's HMTL-rendering
capabilities to display Web pages sent in mail
messages.
The mail targeted by the company to the author's
pseudonymous address was written in HTML, and
contained a standard image tag. When Netscape
opened the mail and rendered the page, the tag
sent a call to the company's Web server to fetch
the image, which left a tell-tale footprint - the IP
address of the author's machine - on his
employer's logs. Busted!
As software designers aim for a seamlessly
integrated desktop - with multiple email accounts,
the Web, and local file access all a click away -
the tools you select for everyday tasks are more
important than ever.
"This isn't really a mail security issue," observes
Eric S. Raymond, author of a remote mail-retrieval
utility called fetchmail. "Email security is
nonexistent anyway unless you use a strong
end-to-end encryption method like PGP, but that
wouldn't have helped here. The issue was an
unintended side effect of having an intelligent
agent read your mail and go off to the Web to get
a piece of information. If he'd been using a [text
mail] program like Elm or Pine or Mutt, he wouldn't
have gotten bitten."
Cryptography consultant Bruce Schneier, author of
E-Mail Security: How to Keep Your Electronic
Messages Private, points out that exchanging
text-only messages and exchanging HTML entail
different levels of information exchange between
sender and recipient.
"HTML is a robust protocol designed to make
things run smoothly, therefore it passes a lot of
information behind the scenes. That's why it's
useful," he says.
Reading Web pages with an HTML-enabled mail
program doesn't leave any more of a trail behind
you than surfing through a site - but it doesn't
leave any less of one, either.
You may not even know when you're on the Web
when you read your mail with a Web-enabled
program. Several online publications - including
Wired News - are available in email form, via
options such as Netscape In-Box Direct. The text
portion of the publication is sent to your in-box,
but images may be siphoned from a remote server
when you open the message. Clicking on links
may take you out on the Web while you still think
you're reading mail on your own hard drive.
For Simson Garfinkel, author of Web Security and
Commerce, the lessons to be gleaned from this
incident are not about text vs. HTML mail
software, but about workplace rights.
"This individual was using his computer at work,
and he thought that because he was reading
personal mail on another ISP, his computer was
not subject to his employer's scrutiny. Employees
have no rights to privacy in this country," Garfinkel
says. "If you want to maintain a digital
pseudonym, don't read your personal mail at
work."
Ken Williams
/--------------------------[ TATTOOMAN ]--------------------------\
| ORG: NC State Computer Science Dept VP of The E. H. A. P. Corp. |
| EML: [email protected] [email protected] |
| EML: [email protected] [email protected] |
| WWW: http://www4.ncsu.edu/~jkwilli2/ http://www.hackers.com/ehap/ |
| FTP: ftp://152.7.11.38/pub/personal/tattooman/ |
| W3B: http://152.7.11.38/~tattooman/w3board/ |
| PGP: finger [email protected] |
\----------------[ http://152.7.11.38/~tattooman/ ]----------------/