EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 10 Apr 2019, 11:17 AM   #1
NumberSix
Cornerstone of the Community
 
Join Date: Jan 2003
Location: The Village
Posts: 568
Protection from tracking

So... we all know that FM can block remote images from HTML email in order to help prevent tracking, but does anyone know if they scrub all URLs from HTML code as well? Can this even be done, if many HTML emails are depending on remote stylesheets or something? And if such scrubbing is not being done, does that mean that blocking remote images only is just a kind of "security theater"? And does it mean that the settings text Ask before loading any external content is somewhat inaccurate?

Last edited by NumberSix : 12 Apr 2019 at 02:22 PM.
NumberSix is offline   Reply With Quote

Old 10 Apr 2019, 01:39 PM   #2
NumberSix
Cornerstone of the Community
 
Join Date: Jan 2003
Location: The Village
Posts: 568
I guess a more concise way of saying this is: does the aforementioned external content really include all external references by HTML message bodies, or just images?
NumberSix is offline   Reply With Quote
Old 11 Apr 2019, 02:06 PM   #3
gardenweed
Cornerstone of the Community
 
Join Date: Jun 2008
Location: Perth
Posts: 548
If you selected under Advanced Settings "Always display messages in plain text", would that remove the issue?
gardenweed is offline   Reply With Quote
Old 12 Apr 2019, 09:49 AM   #4
NumberSix
Cornerstone of the Community
 
Join Date: Jan 2003
Location: The Village
Posts: 568
Quote:
Originally Posted by gardenweed View Post
If you selected under Advanced Settings "Always display messages in plain text", would that remove the issue?
Yes, I suppose it would solve the "problem" that concerns me, but I don't prefer to do that because most HTML emails (if they don't also contain a plaintext version internally, which I think most don't) look like crap when de-formatted. I like to see HTML formatting when it's available. Just don't want it "phoning home".
NumberSix is offline   Reply With Quote
Old 13 Apr 2019, 09:36 AM   #5
Grhm
Senior Member
 
Join Date: Mar 2007
Location: UK
Posts: 179
Hmmm. Flashy formatting, or privacy?
Flashy formatting, or privacy?
Tricky choice.
Not.
Grhm is offline   Reply With Quote
Old 13 Apr 2019, 09:43 AM   #6
NumberSix
Cornerstone of the Community
 
Join Date: Jan 2003
Location: The Village
Posts: 568
Quote:
Originally Posted by Grhm View Post
Hmmm. Flashy formatting, or privacy?
Flashy formatting, or privacy?
Tricky choice.
Not.
But it's a false choice. Most HTML will probably display fine with remote references removed. Mail that depends on remote resources like stylesheets might look bad, but probably not quite as bad as the same thing rendered as plain text by simply stripping all HTML code out. Companies/orgs that want privacy-minded customers to see their content properly should (ideally) learn not to use remote resources, but rather embed CSS styles, etc, into the HTML body.
NumberSix is offline   Reply With Quote
Old 13 Apr 2019, 09:50 AM   #7
Grhm
Senior Member
 
Join Date: Mar 2007
Location: UK
Posts: 179
Ideally?
No, ideally, they should use plain text.
Grhm is offline   Reply With Quote
Old 13 Apr 2019, 11:33 AM   #8
NumberSix
Cornerstone of the Community
 
Join Date: Jan 2003
Location: The Village
Posts: 568
Quote:
Originally Posted by Grhm View Post
Ideally? No, ideally, they should use plain text.
I consider myself a slightly luddite curmudgeon, but I tip my hat to you, sir
NumberSix is offline   Reply With Quote
Old 13 Apr 2019, 12:51 PM   #9
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,544
Quote:
Originally Posted by NumberSix View Post
I guess a more concise way of saying this is: does the aforementioned external content really include all external references by HTML message bodies, or just images?
The Fastmail help page on this seems very clear with regards to your concern:
https://www.fastmail.com/help/receiv...tecontent.html
Quote:
When receiving email, we block any images or other content that isn't sent with the email if you are viewing through our web interface. You must click to load the remote content in order to view it.
You can see more on the Security help page:
https://www.fastmail.com/help/ourservice/security.html
Quote:
When accessing your email through our web interface (ie: not via desktop or device clients), we protect your privacy by fetching all referenced images through our servers. This prevents the owner of the image from being sent additional information about you such as your internet address (which reveals your rough location), browser information and sometimes even tracking cookies.
This blog post may also be useful:
https://fastmail.blog/2014/09/16/bet...mage-proxying/
Quote:
When your browser requests an image (or any other page) it sends all sorts of information to the web server, including your internet address (which reveals your rough location), the type and version of browser you're using, and sometimes even tracking cookies and other information that can help identify you. While these things are a fundamental part of how the web works and are difficult to avoid, we know that many of our users don't like this information to be sent without their knowledge.
Bill
n5bb is offline   Reply With Quote
Old 15 Apr 2019, 10:20 AM   #10
NumberSix
Cornerstone of the Community
 
Join Date: Jan 2003
Location: The Village
Posts: 568
Thanks for the response, Bill... in fact I had neglected to check the help pages. But I disagree that they are "very clear". In fact, with the exception of the one place you quoted "we block any images or other content", every other bit of wording on that page, and the others, contains a very strong implication that "external content" == "images". The two terms are used interchangeably. That doesn't prove anything, but it also does not make me feel confident that in fact any and all external content is being treated the same as images are treated (in spite of the previous quotation). If other types of content like stylesheets were included, you would think that some mention of something other than images would be made. Or there would be an explicit statement that HTML messages are scrubbed of all URLs, or something to that effect. So, I think it is quite reasonable for me to ask this question.

I have put in a support request asking this question. I will follow up to this thread with whatever response I get.
NumberSix is offline   Reply With Quote
Old 15 Apr 2019, 12:32 PM   #11
Grhm
Senior Member
 
Join Date: Mar 2007
Location: UK
Posts: 179
Quote:
Originally Posted by NumberSix View Post
I consider myself a slightly luddite curmudgeon
Yay! Luddite curmudgeons rule!
Grhm is offline   Reply With Quote
Old 16 Apr 2019, 11:10 AM   #12
NumberSix
Cornerstone of the Community
 
Join Date: Jan 2003
Location: The Village
Posts: 568
Here's the response I got:
Quote:
Remote images are loaded based on this preference (but always proxied via our server to hide your IP and prevent cookie or location tracking). All other external content (e.g. external stylesheets, sounds or anything else) is always stripped and never loaded. We are planning to update the wording on this preference to try to make it clearer what it does.

Please note, this only applies while using our web interface or our apps. 3rd party clients will often load content directly, and may load external content other than images.
So... that's the good news I was hoping for. Case closed.

Maybe even Grhm will be willing to view formatted emails now
NumberSix is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 01:28 PM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy