[Standards] XHTML <img/> presence leak

Peter Saint-Andre stpeter at jabber.org
Mon Mar 5 20:45:49 UTC 2007


Kevin Smith wrote:
> On 2 Mar 2007, at 14:21, Matthew O'Gorman wrote:
>> Isn't this a client implementation problem?
> Possibly, but a quick note makes sure everyone considers it.
> 
>>   also you could run a
>> proxy or tor to secure your anonymity. ^_^
> That wouldn't secure anonymity. The problem in this case is that an 
> image element is sent to a user which is uniquely identifying. That is: 
> if the user fetches the image, the http server knows they are online. 
> It's not immediately obvious that displaying images is bad and so a 
> client could automatically render images in messages, possibly even 
> fetching them on receipt before message rendering - if they were to do 
> that then it becomes trivial to determine when someone's online.
> 
> It's not a huge issue, a quick note in the xep and I think we've got it 
> covered :)

Does this text address the concern?

"Because images served on the Internet may contain malicious 
instructions or software code and may enable the entity serving the 
image to determine the network availability of the requesting entity, an 
implementation MAY choose not to show images but instead show only the 
'alt' text or to not fetch images offered by entities that are not 
authorized to view the user's presence."

Peter

-- 
Peter Saint-Andre
XMPP Standards Foundation
http://www.xmpp.org/xsf/people/stpeter.shtml

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20070305/fce40a83/attachment.bin>


More information about the Standards mailing list