An easier way to get your logo in the inbox: Google's latest BIMI changes (opens in new tab)

(valimail.com)

24 pointspydubreucq1y ago24 comments

24 comments

So, where a VMC was equivalent to an EV X.509 certificate, CMC is basically a normal certificate. I guess nobody wanted to buy VMCs, just like with EVs. But the mere existence of CMCs now lowers the value of a BIMI logo; if almost anybody can get a CMC, the logo can not be trusted. Might as well use X-Face, which is free.

(BIMI is still a tracking pixel in every mail, BTW.)

Previously: <https://news.ycombinator.com/item?id=40873830>, <https://news.ycombinator.com/item?id=32717105>, <https://news.ycombinator.com/item?id=28196403>

9dev1y ago

Nobody wanted to buy them because the pricing was just ridiculous. I’m sure as hell not dropping 1.5 grand per year to display a freaking logo next to our mails. Had they been less greedy, this could have actually worked. But the way it is, it’s just a money grab from the same guys that used to sell you overpriced SSL certificates.

> (BIMI is still a tracking pixel in every mail, BTW.)

It doesn’t have to be. Email platforms and clients should have servers in place to fetch logo images and cache them for their users; no direct correlation between users and requests in that case.

netsharc1y ago

To abuse the email system even more, wouldn't it be possible to add a header to the email with a base64 encoded image? I suppose with HiDPI, the image might need to have quite a high resolution. And then someone will find an exploit involving image decoding/displaying.. like one Outlook had years ago while parsing manipulated timestamps.

Edit: reading one example, the hosted image can be an SVG, so that would not be so heavy to be embedded into the header..

teddyh1y ago

Such standards exist already:

1. The ancient “X-Face” header: 48×48 black or white pixels: <https://en.wikipedia.org/w/index.php?title=X-Face&oldid=1220...>

2. The “Face” header, from 2005: 48×48 PNG image <https://quimby.gnus.org/circus/face/>

teddyh1y ago

> Email platforms and clients should have servers in place to fetch logo images and cache them for their users; no direct correlation between users and requests in that case.

So, all email servers and clients should be rewritten to avoid user tracking. Got it.

This will never happen. If it came even close to happening, BIMI would magically and coincidentally grow a new user-tracking feature.

9dev1y ago

Coming to think of it… How would you implement user tracking with an image that must be served from a static URL defined in a DNS record and no request parameters to go by? Other than applying heuristics to match the time frame between sending a mail and receiving a request for the logo endpoint, I don't see how that would even work.

Additionally, platform providers have a huge incentive to cache the logos on their end—otherwise, they'd be required to verify the cryptographic signature every single time the logo were required to be drawn on the screen.

tssva1y ago

Some email platforms already cache images to prevent tracking.

1 more reply

irq-11y ago

Brand Indicators for Message Identification (BIMI)

technion1y ago

I've read Google's announcement and I'm not sure why it's a Google announcement, the BIMI group published this change here:

https://bimigroup.org/announcing-common-mark-certificates/

But that document seems unfinished. It refers to there still being requirements to get a CMC, at at this time it tells you to go refer to a PDF where those requirements are documented. But that PDF is the old VMC documentation.

ajonit1y ago

BIMI needs an LetsEncrypt equivalent of VMC to take-off. It's prohibitively expensive for small businesses.

ocdtrekkie1y ago

While I enjoy Google relaunching EV certs under another name to avoid it was just wrong about claiming they were useless and a bad idea... the cost is the point.

One of the biggest things people just don't get is that anything cheap and automatic is easily exploitable at scale, and things expensive and manual are much harder to exploit, and generally speaking not worth the cost.

The reason people got the idea the lock icon in the browser meant a site was legitimate is because malicious sites rarely ever paid for a certificate. Now that certificates are free, of course, all phishing sites use Let's Encrypt.

EV and VMC certs are not generally speaking exploited simply because it isn't worth the cost to do so.

ajonit1y ago

Now that certificates are free, of course, all phishing sites use Let's Encrypt. Evaluating a website's legitimacy using SSL should not have been initiated by browser vendors. The messaging was wrong for the non-tech folks. They do not have anything to do with the site is fake/fraud/malicious. It was just the data-in-transit is safe or not.

ocdtrekkie1y ago

That's not my point: My point is that it became a real world tendency because it was pretty accurate: The malicious websites weren't paying for certificates.

If even some legitimate businesses balk at the cost of a VMC, your average scammer isn't going to drop that kind of money to get one either, especially since that cost is per-attempt and the approval is somewhat manual and likely involves humans seeing that it is wrong. But Bank of America will and hence the BoA logo on your email is pretty effective proof of legitimacy.

1 more reply

throwaway2016a1y ago

Perhaps I'm missing it but where do you actually buy and/or generate a CMC? I can't find any information on it.

Personally VCM is far too expensive for me at this time which is the only reason I haven't gotten one. But I certainly realize that putting a cost barrier to entry makes it less accessible to bad actors.

Balasai1y ago

CMC is on but same price as VMC this is totally unfair https://www.digicert.com/tls-ssl/verified-mark-certificates#...

Am4TIfIsER0ppos1y ago

Emojis are an abomination in email subjects and authors but now you want to deliberately add more colors and corporate branding. Fuck you google. Good thing I say as far away from the web interface as possible. Too bad thunderbird renders emojis in color.

j / k navigate · click thread line to collapse

24 comments

teddyh1y ago

(BIMI is still a tracking pixel in every mail, BTW.)

Previously: <https://news.ycombinator.com/item?id=40873830>, <https://news.ycombinator.com/item?id=32717105>, <https://news.ycombinator.com/item?id=28196403>

9dev1y ago

> (BIMI is still a tracking pixel in every mail, BTW.)

It doesn’t have to be. Email platforms and clients should have servers in place to fetch logo images and cache them for their users; no direct correlation between users and requests in that case.

netsharc1y ago

Edit: reading one example, the hosted image can be an SVG, so that would not be so heavy to be embedded into the header..

teddyh1y ago

Such standards exist already:

1. The ancient “X-Face” header: 48×48 black or white pixels: <https://en.wikipedia.org/w/index.php?title=X-Face&oldid=1220...>

2. The “Face” header, from 2005: 48×48 PNG image <https://quimby.gnus.org/circus/face/>

teddyh1y ago

> Email platforms and clients should have servers in place to fetch logo images and cache them for their users; no direct correlation between users and requests in that case.

So, all email servers and clients should be rewritten to avoid user tracking. Got it.

This will never happen. If it came even close to happening, BIMI would magically and coincidentally grow a new user-tracking feature.

9dev1y ago

tssva1y ago

Some email platforms already cache images to prevent tracking.

1 more reply

irq-11y ago

Brand Indicators for Message Identification (BIMI)

technion1y ago

I've read Google's announcement and I'm not sure why it's a Google announcement, the BIMI group published this change here:

https://bimigroup.org/announcing-common-mark-certificates/

ajonit1y ago

BIMI needs an LetsEncrypt equivalent of VMC to take-off. It's prohibitively expensive for small businesses.

ocdtrekkie1y ago

While I enjoy Google relaunching EV certs under another name to avoid it was just wrong about claiming they were useless and a bad idea... the cost is the point.

EV and VMC certs are not generally speaking exploited simply because it isn't worth the cost to do so.

ajonit1y ago

ocdtrekkie1y ago

That's not my point: My point is that it became a real world tendency because it was pretty accurate: The malicious websites weren't paying for certificates.

1 more reply

throwaway2016a1y ago

Perhaps I'm missing it but where do you actually buy and/or generate a CMC? I can't find any information on it.

Balasai1y ago

CMC is on but same price as VMC this is totally unfair https://www.digicert.com/tls-ssl/verified-mark-certificates#...

Am4TIfIsER0ppos1y ago

j / k navigate · click thread line to collapse