[Standards] XHTML <img/> presence leak
stpeter at jabber.org
Mon Mar 5 20:45:49 UTC 2007
Kevin Smith wrote:
> On 2 Mar 2007, at 14:21, Matthew O'Gorman wrote:
>> Isn't this a client implementation problem?
> Possibly, but a quick note makes sure everyone considers it.
>> also you could run a
>> proxy or tor to secure your anonymity. ^_^
> That wouldn't secure anonymity. The problem in this case is that an
> image element is sent to a user which is uniquely identifying. That is:
> if the user fetches the image, the http server knows they are online.
> It's not immediately obvious that displaying images is bad and so a
> client could automatically render images in messages, possibly even
> fetching them on receipt before message rendering - if they were to do
> that then it becomes trivial to determine when someone's online.
> It's not a huge issue, a quick note in the xep and I think we've got it
> covered :)
Does this text address the concern?
"Because images served on the Internet may contain malicious
instructions or software code and may enable the entity serving the
image to determine the network availability of the requesting entity, an
implementation MAY choose not to show images but instead show only the
'alt' text or to not fetch images offered by entities that are not
authorized to view the user's presence."
XMPP Standards Foundation
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
More information about the Standards