undefined | Better HN

0 pointsHumdeee4y ago0 comments

Interesting. I've always thought that images within emails would also serve as a read receipt to the server that sent them when enabled or shown. Would this still apply? Google providing a proxy for this could totally pollute this data (which could be a good thing!).

0 comments

signal114y ago

> I've always thought that images within emails would also serve as a read receipt to the server that sent them when enabled or shown

Yes, that's exactly what happens. Proxying the image only hides the user's IP address. If the images in the email load from external resources like https://example.com/fetch-resource?id=something_unique GMail has no way of knowing if something_unique uniquely identifies a user.

This is why disabling images is helpful. Of course Gmail also lets you enable images per sender, and you may find that quite acceptable for sites you have a relationship with (e.g. a shopping site which already knows your IP address and is sending you delivery notifications).

ncallaway4y ago

My understanding is that is exactly why Google provides a proxy for that.

tomschwiha4y ago

Last time I checked Google is proxying the external ressources right in the moment when the email is opened, so it just protects the IP address.

hunter2_4y ago

Someone tested [0] and the result agrees with you. And this Gmail help article [1] elaborates on the scope of protection, which is equivalent to "IP address and HTTP headers":

> Google scans images for signs of suspicious content before you receive them.

> These scans make images safer because:

> - Senders can’t use image loading to get information about your computer or location.

> - Senders can't use the image to set or read cookies in your browser.

> - Gmail checks the images for known harmful software. Sometimes, senders may know whether you've opened an email that has an image. Gmail scans every message for suspicious content. If Gmail thinks that a sender or message is suspicious, images aren’t shown and you’ll be asked if you want to see the images.".

###

Personally, I think this is quite silly, because I routinely disclose my IP address and HTTP headers without considering it particularly sensitive, but I don't want senders to know that their their email messages have been opened.

[0] https://blog.filippo.io/how-the-new-gmail-image-proxy-works-...

[1] https://support.google.com/mail/answer/145919?hl=en-GB

1 more reply

stjohnswarts4y ago

Yeah most companies don't care about the IP they care that the email was opened by the target/victim and that's what happens even with proxied images.

sangnoir4y ago

Google proxies the requests, and makes one (and only one) upstream request. This prevents subsequent 'pings' if the user opens the email again later.

j / k navigate · click thread line to collapse