EmailPrivacyTester.com Q&A

Picture of Two Overlapping Web Email ClientsAs a follow-up to Monday’s post, “Is Your Email Client Leaking Sensitive Information?,” I reached out to the developer of EmailPrivacyTester.com for some quick Q&A about his  site. The developer, Mike Cardwell, was kind enough to take part and provided very thoughtful answers to some questions I thought many of us would probably have. Some of the highlights for me were confirmation that the iOS email client triggers many of these checks by default, the testing of DNS prefetches to discover your DNS settings, the existence of a few XSS techniques to checkup on web-based clients, and of course the fact that the source is available for all to see and contribute to.

And without further ado, here’s the Q&A session…

Why did you create this email privacy testing service?

It has been common and accepted practice for a while now for organizations to add tracking images to their mailshots. Using this technique, they can tell when you read an email, what your IP address is when you read it, and sometimes, even the client you’re using. Now, I’m not particularly fond of this practice, and I’m not sure why it doesn’t get more attention. It’s nobody else’s business when I read my email, where I read it from, and how I read it. I don’t think most people realize that when they read an email with remote images enabled, this happens. For this reason, I’m glad that email clients in general at least have the option of turning remote content off. Most sane clients even default to this configuration (not the iOS email client). I wrote the Email Privacy Tester because I wanted to make sure that email applications are actually implementing this option properly. As it turns out, many weren’t and many still aren’t.

What are and how many techniques do you test? Any plans for other testing techniques?

There are currently thirty eight different tests. The email that the system sends contains HTML. That HTML attempts to embed remote content in as many different ways that I can come up with. You have the basic “img” tag, but it also tests iframes, the video and audio tags, java applets, flash objects, javascript and various other HTML tags and CSS styles. The email also has a CSS and SVG attachment that both embed remote content and those attachments are themselves embedded into the HTML. I also test for when clients perform DNS prefetches on links in the HTML. This doesn’t give me the readers IP address, but it does give me the IP addresses of the DNS servers they’re using, which is still very useful information. I also check for read receipts. Some email clients and servers send an email back to the sender when you read a message, if the sender requested it. Sometimes they even do it completely transparently without asking your permission. The email also contains a couple of automated XSS attacks which simply pop up an alert when they work. I know the XSS tests have worked on at least one webmail service.

Somebody contacted me just yesterday about another test that I could add. Apparently numerous clients which use the Microsoft CryptoAPI like Outlook and Live Mail are affected. If an email is S/MIME signed and the certificate used for signing uses something called the “authorityInfoAccess” extension with the “caIssuers” option, those clients automatically fetch whatever URL you embed in that location in the certificate. I hope to implement this test soon, when I’ve figured out the appropriate openssl commands. I am always on the look out for similar tests.

What are your future plans with this service?

Adding more tests. In the past couple of years, an earlier revision of this app discovered flaws in Thunderbird v3, Outlook, Outlook Web Access, Apples Mail.app, the iOS email client, the Android IMAP client, K-9 Mail for Android, IMP, Roundcube, Hotmail, OpenWebMail, Sparrow Mail, Entourage and Mailinator. Some of these still exist, but most have now been closed. I’m sure there are many other flaws in many other email and webmail apps. There are loads of clients that I simply haven’t tested yet. That’s why I made the application generally available. I need other people to test their own email clients for me.

Is there anyway people could help you out if they find your service valuable?

The main thing you can do to help me is this: If the Email Privacy Tester detects a flaw in your client, please don’t just keep it to yourself. Submit bug reports to whoever develops your app. It’s the only way these holes will be filled. Please publicize them as well on Twitter, Facebook, your blog, wherever you can. I’d also really appreciate people emailing suggestions for new tests to me. The full source code is available on Github, licensed under the GPL; patches are welcome.

I’d again like to thank Mike for taking the time to answer these questions. You can find out more information about this service by heading over to EmailPrivacyTester.com.

#####

Do you know of any other cool privacy services out there? Let us know in the comments below. Today’s post pic is from Cyber-Space-War.blogspot.com. See ya!

6 comments for “EmailPrivacyTester.com Q&A

  1. May 9, 2012 at 10:03 am

    Follow-up Q&A post with the developer of EmailPrivacyTestercom. http://t.co/hmCJ7hq8

  2. May 9, 2012 at 3:47 pm

    BLOGGED: EmailPrivacyTestercom Q&A http://t.co/hmCJ7hq8 //In case you missed.

  3. May 9, 2012 at 3:47 pm

    BLOGGED: EmailPrivacyTestercom Q&A http://t.co/UvgXgNHy //In case you missed.

  4. May 9, 2012 at 10:59 pm

    EmailPrivacyTestercom Q&A http://t.co/hmCJ7hq8 //In case you missed.

  5. May 9, 2012 at 10:59 pm

    EmailPrivacyTestercom Q&A http://t.co/UvgXgNHy //In case you missed.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.