Bil Corry wrote: > Jean-Marc Desperrier wrote on 7/24/2009 1:09 PM: >> The most serious attack seem to me to be than the attacker can know >> *when* exactly you read any given mail. > > I hadn't thought of that, but I do now see that as a reason to turn > it off entirely for any messaging application. You're right, it > wouldn't be too hard to marry wildcard DNS with specially-crafted > tracking links to know when the user has viewed the message (which is > why many messaging applications disable remote image fetching by > default).
DNS prefetching is turned off for the message pane in Thunderbird 3 and SeaMonkey 2 https://bugzilla.mozilla.org/show_bug.cgi?id=492196 Jean-Marc's point would apply to webmail if you have a non-SSL connection. You may feel safe enough with your mail content going in the clear between you and your mail server, but a dns-prefetch webbug would feed information back to the sender without them having to eavesdrop on the network between you and your mail provider. Options (provided in my preference order): 1. Use Thunderbird for reading mail 2. Use a web mail provider that supports SSL 3. Turn off DNS prefetching. 4. Acknowledge "privacy is dead" and don't worry about it. -Dan _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security