Package: neomutt Version: 20201127+dfsg.1-1.2 Severity: normal Tags: upstream X-Debbugs-Cc: debbug.neom...@sideload.33mail.com
The “Date:” field is added after the user instructs neomutt to send their message, so there is no opportunity for the user to edit the timestamp of the message. Perhaps rightly so, for RFC-compliance. But the timestamp that mutt generates exposes the timezone of the author. It’s too much information. E.g. this reveals to the recipient and all mail servers enroute that the sender is physically in the central Europe timezone: Date: Fri, 12 Aug 2022 13:21:24 +0200 This exposes the presence of senders in the eastern US timezone: Date: Fri, 12 Aug 2022 13:21:24 -0400 It would be surprising if Google or Microsoft did not exploit that information in some way. For privacy, users need control over the format of that date. The RFC likely dictates the format, but the time should be expressed in UTC. And UTC should in fact be the *default* timezone as well. If a user really wants to reveal the timezone they are in for some reason (i.e. the status quo), perhaps there should be a new config parameter for that case. The parameter could be an enum that enables you to name a timezone, or perhaps it could be a simple boolean like “compose_timezone_local” or “compose_timezone_zulu”. FWIW, it’s perhaps also worth mentioning that it might be useful to be able to dynamically select the timezone of the /recipient/, as a courtesy to them in cases where the recipient’s timezone is known by the sender. Of course that brings in a bit of complexity. But in any case, the current behavior is a security issue because confidentiality is compromized. -- Package-specific info: NeoMutt 20201127 Copyright (C) 1996-2020 Michael R. Elkins and others. NeoMutt comes with ABSOLUTELY NO WARRANTY; for details type 'neomutt -vv'. NeoMutt is free software, and you are welcome to redistribute it under certain conditions; type 'neomutt -vv' for details. System: Linux 5.10.0-16-amd64 (x86_64) ncurses: ncurses 6.2.20201114 (compiled with 6.2.20201114) libidn: 1.33 (compiled with 1.33) GPGME: 1.14.0-unknown GnuTLS: 3.7.1 libnotmuch: 5.3.0 storage: tokyocabinet Configure options: --build=x86_64-linux-gnu --prefix=/usr {--includedir=${prefix}/include} {--mandir=${prefix}/share/man} {--infodir=${prefix}/share/info} --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules {--libdir=${prefix}/lib/x86_64-linux-gnu} {--libexecdir=${prefix}/lib/x86_64-linux-gnu} --disable-maintainer-mode --disable-dependency-tracking --mandir=/usr/share/man --libexecdir=/usr/libexec --with-mailpath=/var/mail --gpgme --lua --notmuch --with-ui --gnutls --gss --idn --mixmaster --sasl --tokyocabinet --sqlite --autocrypt Compilation CFLAGS: -g -O2 -ffile-prefix-map=/build/neomutt-aFsTyZ/neomutt-20201127+dfsg.1=. -fstack-protector-strong -Wformat -Werror=format-security -std=c99 -D_ALL_SOURCE=1 -D_GNU_SOURCE=1 -D__EXTENSIONS__ -I/usr/include -I/usr/include/lua5.4 -DNCURSES_WIDECHAR -isystem /usr/include/mit-krb5 Default options: +attach_headers_color +compose_to_sender +compress +cond_date +debug +encrypt_to_self +forgotten_attachments +forwref +ifdef +imap +index_color +initials +limit_current_thread +multiple_fcc +nested_if +new_mail +nntp +pop +progress +quasi_delete +regcomp +reply_with_xorig +sensible_browser +sidebar +skip_quoted +smtp +status_color +timeout +tls_sni +trash Compile options: +autocrypt +bkgdset +color +curs_set +fcntl -flock -fmemopen +futimens +getaddrinfo +gnutls +gpgme +gss +hcache -homespool +idn +inotify -locales_hack +lua +meta +mixmaster +nls +notmuch -openssl +pgp +regex +sasl +smime +sqlite +start_color +sun_attachment +typeahead MAILPATH="/var/mail" MIXMASTER="mixmaster" PKGDATADIR="/usr/share/neomutt" SENDMAIL="/usr/sbin/sendmail" SYSCONFDIR="/etc" To learn more about NeoMutt, visit: https://neomutt.org If you find a bug in NeoMutt, please raise an issue at: https://github.com/neomutt/neomutt/issues or send an email to: <neomutt-de...@neomutt.org> -- System Information: Debian Release: 11.4 APT prefers stable-updates APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990, 'testing'), (990, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-16-amd64 (SMP w/2 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages neomutt depends on: ii libc6 2.31-13+deb11u3 ii libgnutls30 3.7.1-5+deb11u1 ii libgpg-error0 1.38-2 ii libgpgme11 1.14.0-1+b2 ii libgssapi-krb5-2 1.18.3-6+deb11u1 ii libidn11 1.33-3 ii liblua5.4-0 5.4.2-2 ii libncursesw6 6.2+20201114-2 ii libnotmuch5 0.31.4-2 ii libsasl2-2 2.1.27+dfsg-2.1+deb11u1 ii libsqlite3-0 3.34.1-3 ii libtinfo6 6.2+20201114-2 ii libtokyocabinet9 1.4.48-13 ii sensible-utils 0.0.14 Versions of packages neomutt recommends: ii libsasl2-modules 2.1.27+dfsg-2.1+deb11u1 ii locales 2.31-13+deb11u3 ii mime-support 3.66 Versions of packages neomutt suggests: ii aspell 0.60.8-3 ii ca-certificates 20210119 ii gnupg 2.2.27-2+deb11u2 ii ispell 3.4.02-2 pn mixmaster <none> ii openssl 1.1.1n-0+deb11u3 ii postfix [mail-transport-agent] 3.5.13-0+deb11u1 ii urlview 0.9-21+b1 Versions of packages neomutt is related to: ii neomutt 20201127+dfsg.1-1.2 -- no debconf information