As a follow-up to Monday’s post, “Is Your Email Client Leaking Sensitive Information?,” I reached out to the developer of EmailPrivacyTester.com for some quick Q&A about his site. The developer, Mike Cardwell, was kind enough to take part and provided very thoughtful answers to some questions I thought many of us would probably have. Some of the highlights for me were confirmation that the iOS email client triggers many of these checks by default, the testing of DNS prefetches to discover your DNS settings, the existence of a few XSS techniques to checkup on web-based clients, and of course the fact that the source is available for all to see and contribute to.
And without further ado, here’s the Q&A session…
Why did you create this email privacy testing service?
It has been common and accepted practice for a while now for organizations to add tracking images to their mailshots. Using this technique, they can tell when you read an email, what your IP address is when you read it, and sometimes, even the client you’re using. Now, I’m not particularly fond of this practice, and I’m not sure why it doesn’t get more attention. It’s nobody else’s business when I read my email, where I read it from, and how I read it. I don’t think most people realize that when they read an email with remote images enabled, this happens. For this reason, I’m glad that email clients in general at least have the option of turning remote content off. Most sane clients even default to this configuration (not the iOS email client). I wrote the Email Privacy Tester because I wanted to make sure that email applications are actually implementing this option properly. As it turns out, many weren’t and many still aren’t.
What are and how many techniques do you test? Any plans for other testing techniques?
Somebody contacted me just yesterday about another test that I could add. Apparently numerous clients which use the Microsoft CryptoAPI like Outlook and Live Mail are affected. If an email is S/MIME signed and the certificate used for signing uses something called the “authorityInfoAccess” extension with the “caIssuers” option, those clients automatically fetch whatever URL you embed in that location in the certificate. I hope to implement this test soon, when I’ve figured out the appropriate openssl commands. I am always on the look out for similar tests.
What are your future plans with this service?
Adding more tests. In the past couple of years, an earlier revision of this app discovered flaws in Thunderbird v3, Outlook, Outlook Web Access, Apples Mail.app, the iOS email client, the Android IMAP client, K-9 Mail for Android, IMP, Roundcube, Hotmail, OpenWebMail, Sparrow Mail, Entourage and Mailinator. Some of these still exist, but most have now been closed. I’m sure there are many other flaws in many other email and webmail apps. There are loads of clients that I simply haven’t tested yet. That’s why I made the application generally available. I need other people to test their own email clients for me.
Is there anyway people could help you out if they find your service valuable?
The main thing you can do to help me is this: If the Email Privacy Tester detects a flaw in your client, please don’t just keep it to yourself. Submit bug reports to whoever develops your app. It’s the only way these holes will be filled. Please publicize them as well on Twitter, Facebook, your blog, wherever you can. I’d also really appreciate people emailing suggestions for new tests to me. The full source code is available on Github, licensed under the GPL; patches are welcome.
I’d again like to thank Mike for taking the time to answer these questions. You can find out more information about this service by heading over to EmailPrivacyTester.com.
Do you know of any other cool privacy services out there? Let us know in the comments below. Today’s post pic is from Cyber-Space-War.blogspot.com. See ya!