|Summary:||"Kmailleaks", or what to improve to make Kmail more privacy friendly.|
|Product:||[Applications] kmail2||Reporter:||eemantsal <infmtk>|
|Component:||general||Assignee:||kdepim bugs <kdepim-bugs>|
|Severity:||wishlist||CC:||johannes.klick, lbeltrame, malvin, montel, thomas.pfeiffer|
|Latest Commit:||http://commits.kde.org/messagelib/6296818e9c7003bec9911c0ee702dc1851ab33e1||Version Fixed In:||5.4.0|
Description eemantsal 2016-03-01 18:39:25 UTC
As i commented here: https://forum.kde.org/viewtopic.php?f=215&t=130580 Kmail reveals a lot of personal information that I don't believe is really necessary to take out of the user computer and launch it to the Internet for ever. This is what Kmail seems to send -from a mail in my sent mail folder in Kmail 2, the addresses and IDs have been modified for privacy reasons-: From: My Name <email@example.com> To: firstname.lastname@example.org Subject: Whatever Date: Tue, 41 Jul 7093 45:07:87 +0900 Message-ID: <206255.h4EBR3PX5@mylinuxuser-nameofmyPC> X-KMail-Identity: 1308832047 X-KMail-Dictionary: es_ES User-Agent: KMail/ (Linux/4.4.0-gentoo; KDE/5.19.0; x86_64; ; ) MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="UTF-8" I know that some headers are necessary for a correct functioning of mail protocols, deliveries, and such. But let me ask if the following information is really necessary: - Message-ID: <206255.h4EBR3PX5@mylinuxuser-nameofmyPC> This ID is unique for each message, and as you see, includes my user name and the name of my machine. I've seen that sending from the webmail page, this same server adds a Message-ID field too, but it just reads «email@example.com», surely the ID is unique too, but at least there's no info about my mail account's name, and the machine ID is just my provider's domain. Don't know how difficult may be decipher the alfanumeric ID, but seems rather more discrete than "blabbermouth" Kmail. If this ID is really indispensable, couldn't Kmail just use the mail server's domain, just like the webmail apps do or even an indefined one like «@localhost», or whatever that keeps users' data safe? - X-KMail-Identity: 1308832047 When I just begun to pay attention to what was doing Kmail with my personal data I wasn't sure if those numbers were unique or perhaps were just a code for Kmail or something like that, something more generic. No, it isn't, is another unique identifier for each message; as opposed to Message-ID it doesn't leak the user's nor machine's name though, but being a excluse Kmail identifier I wonder if it's necessary at all. None of my mail providers' web apps have such a thing, the only ID they have is Message-ID. - X-KMail-Dictionary: es_ES I simply cannot believe that mail providers need to know what's my mother language, and its regional variation. This iD doesn't anything to do with character set, it just tells what dictionary I have set for orthographic check, right? Again no provacy respectful webmail app leaks it. - User-Agent: KMail/ (Linux/4.4.0-gentoo; KDE/5.19.0; x86_64; ; ) This is the cherry on top of the cake... Operating system, distribution, desktop environment, version of DE, and CPU's architecture. Why not sending also the last time I had sex? xD Ok, jokes apart, I think that's a festival of the "cybergossip". GMX doesn't send a user agent, neither Gmail does -their web apps, no mail client-, so it seems clear that such info isn't necessary at all. So, we have 4 different sources of personal data that are leaked by Kmail and that help advertisers and governments a lot to make a very detailed fingerprintof the users. I don't know almost anything about mail protocols, but 3 of them seem not to be necesary at all for a correct functioning. Am I wrong or Kmail's privacy guarentees could improve a lot? Please, look what GMX web app sends: MIME-Version: 1.0 Message-ID: From: To: Subject: Content-Type: text/html; charset=UTF-8 Date: Importance: normal Sensitivity: Normal X-Priority: 3 X-Provags-ID: One, only one, Message-ID, out of the 4 identifiers Kmail sends -X-Provags-ID belongs to the spam filters, I think-. Seems that Kmail could function perfectly being at least as discrete, no? I'm not sure about the Content-Type: text/plain; charset="UTF-8" thind, even if this is leaking the descriptor of my character set, maybe it is necessary to avoid weird characters in the mesages, am I right? Reproducible: Always Steps to Reproduce: 1. Compose a message 2. Send it 3. Actual Results: A lot of unnecesary fingerprinting data are leaked. Expected Results: Only reveal indispensable data for email communication workd without issues, and not let other data go out of our computers.
Comment 1 Laurent Montel 2016-03-02 05:55:27 UTC
you look at mail in sent-mail not mail really send to other user: => X-KMail-Identity is never sent X-KMail-Dictionary is never sent. It's removed for mail which is sent. => Message-ID: you can customize it in kmail configuration. => user-agent I don't know why we export them indeed. I will investigate.
Comment 2 eemantsal 2016-03-02 14:40:59 UTC
Yes, but where should I look at to see what has been sent? I think the logic thing is to believe that sent mail folder contains sent mail, exactly what Kmail sents, nothing more and nothing less. Why should a program do something different to what its name says? Anyway I, of course don't deny what you say, but then, how can we know what has really been sent?
Comment 3 eemantsal 2016-03-02 15:04:47 UTC
Silly form... I can't edit my message, so I have to write this reply and spam your mailbox inncessarily >:-( Ok, 3 seconds after sending my previus message I realized that I just have to send an email to myself and look at the headers. So, then, if Kmail wouldn't send the user agent nor the Message-ID it will be as privacy friendly as the privacy friendly webmail apps. Great. But, where can be disabled or customize Message-ID? I've been looking in identities' and accounts' preferences but haven't found it. Also, don't you think that if it can be disabled or customized with a generic name like "localhost", "PC", or whatever generic name is used by the majority, it should be the default? Shouldn't privacy be preserved just out of the box, not tell users to change something that besides is not very visible? Anyway, is more tranquilizing to see that only user agent and Message-ID are sent. Thanks for indicating, if not, I'd been convinced that Kmail sends many other personal info, like I think everyone who may read my post at KDE forum must be thinking. :-/ I'll write a comment to tranquilize the readers. Thanks, and I hope it's improved as soon as possible.
Comment 4 Laurent Montel 2016-03-02 16:18:56 UTC
(In reply to eemantsal from comment #2) > Yes, but where should I look at to see what has been sent? I think the logic > thing is to believe that sent mail folder contains sent mail, exactly what > Kmail sents, nothing more and nothing less. Why should a program do > something different to what its name says? > Anyway I, of course don't deny what you say, but then, how can we know what > has really been sent? We keep it in sent-mail folder as when we want to reply/reedit we need to know why identity was used for example etc.
Comment 5 Luca Beltrame 2016-03-04 06:41:46 UTC
(In reply to eemantsal from comment #3) > identities' and accounts' preferences but haven't found it. Also, don't you > think that if it can be disabled or customized with a generic name like You can find it in Configure KMail > Composer > Headers.
Comment 6 eemantsal 2016-03-04 13:13:00 UTC
I was yesterday having a look to all those options and thought that perhaps this user Message-ID issue was related to this Headers tab you mention, but I didn't understand what a "suffix" could be -of course I know what it means in lingüistics, but remember that most of us aren't informatics nor are really accustomed to informatic terminology- and didn't pay much attention to it. Now I see that effectively that was the key. Thank you. Nevertheless, probably a little tooltip reading something like «This is the identifier that will be shown in the Message-ID header» when hovering the pointer would sensitively improve the user friendliness. Also, probably a suffix, as common and widespread as possible, should be preset by default, so the average user doesn't have to search on the Internet how to do it. Don't you agree? Anyway, then there's only the user agent leak. All in all Kmail is not such a "blabbermouth", hehe, but see how an average user like me has had to ask to you, developers and try a couple of things that most users aren't willing to try. I sincerely believe this is way afar from user friendly. If you allow me the suggestions, please add a default preset, and consider an option to see truly sent headers, not excluding the actual option to see all that extra info that Laurent said in comment 4, but adding one more perhaps in the View/Headers menu, «Real headers», or whatever you think is more descriptive and accurate. Again, all this surely sounds obvious and silly to you, but, once again, remember that the majority of users don't know/want to have to read and write in forums nor fiddle and dig amoung not so clear options, tabs, menues, etc. A couple of simple things would make users' life way easier. Regards, and I think that once the user agent issue is solved this bug report can be closed.
Comment 7 eemantsal 2016-03-04 14:28:04 UTC
Sorry if I'm being too insistent, but it has come to mind that for that hypothetical Message-ID suffix could be a per-account or per-identity setting that, by default, would use the mail sender's domain, so, if someone uses a Protonmail, Gmail, whatever account, Kmail may set as prefix protonmail.com, gmail.com, and so on; all without any need for the user to touch anything, and not adding any extra info ince the mail sender's domain is already known in the From header. i think it'd be an elegant and efficacious solution. What do you think?
Comment 8 Thomas Pfeiffer 2016-07-24 17:38:20 UTC
The User Agent does indeed reveal more information about the sender's system than necessary (why would one need to know which application in which version on which operating system was used to send an email?). Is there anything that speaks against leaving the User-Agent string completely out by default, or maybe reducing it to just "KMail"? Most email clients do send user-agent information by default, but since the sender's user agent does not really have practical relevance in an email (in contrast to a web browser where the server uses it to apply workarounds for specific browsers' shortcomings, for example), we could just be better then others in that regard.
Comment 9 Johannes Klick 2016-09-07 14:48:01 UTC
HI, i totally agree with Thomas Pfeiffer. Kmail sends by default the OS type, kernel version and the desktop environment by default. It is very useful for an attacker, who wants to send you an email with a malicious attachment... Please remove the User-Agent field by default or is it really necessary?
Comment 10 Johannes Klick 2016-09-07 14:55:57 UTC
(In reply to Luca Beltrame from comment #5) > (In reply to eemantsal from comment #3) > > > identities' and accounts' preferences but haven't found it. Also, don't you > > think that if it can be disabled or customized with a generic name like > > You can find it in Configure KMail > Composer > Headers. For making it more precise: It is possible to override the User-Agent field by adding the field "User-Agent" under "Configure KMail > Composer > Headers" but this is not intuitive. Disable User-Agent field by default and provide a menu that shows all default Headers and its values. This would make it easy for an user to edit the values.
Comment 11 malvin 2016-09-07 15:00:46 UTC
(In reply to Johannes Klick from comment #10) > > You can find it in Configure KMail > Composer > Headers. > > For making it more precise: > It is possible to override the User-Agent field by adding the field > "User-Agent" under "Configure KMail > Composer > Headers" but this is not > intuitive. Does this also allow the user to completely remove the User-Agent header? (Which I also think should be the default nowadays.)
Comment 12 Laurent Montel 2016-11-04 22:22:38 UTC
Git commit 6296818e9c7003bec9911c0ee702dc1851ab33e1 by Montel Laurent. Committed on 04/11/2016 at 22:20. Pushed by mlaurent into branch 'master'. Fix Bug 359964 - "Kmailleaks", or what to improve to make Kmail more privacy friendly. FIXED-IN: 5.4.0 M +17 -30 messagecomposer/autotests/messagefactorytest.cpp M +0 -9 messagecomposer/src/job/skeletonmessagejob.cpp http://commits.kde.org/messagelib/6296818e9c7003bec9911c0ee702dc1851ab33e1