[Humdeee]

Interesting. I've always thought that images within emails would also serve as a read receipt to the server that sent them when enabled or shown. Would this still apply? Google providing a proxy for this could totally pollute this data (which could be a good thing!).

[signal11]

> I've always thought that images within emails would also serve as a read receipt to the server that sent them when enabled or shown

Yes, that's exactly what happens. Proxying the image only hides the user's IP address. If the images in the email load from external resources like https://example.com/fetch-resource?id=something_unique GMail has no way of knowing if something_unique uniquely identifies a user.

This is why disabling images is helpful. Of course Gmail also lets you enable images per sender, and you may find that quite acceptable for sites you have a relationship with (e.g. a shopping site which already knows your IP address and is sending you delivery notifications).

[ncallaway]

My understanding is that is exactly why Google provides a proxy for that.

[tomschwiha]

Last time I checked Google is proxying the external ressources right in the moment when the email is opened, so it just protects the IP address.

[hunter2_]

Someone tested [0] and the result agrees with you. And this Gmail help article [1] elaborates on the scope of protection, which is equivalent to "IP address and HTTP headers":

> Google scans images for signs of suspicious content before you receive them.

> These scans make images safer because:

> - Senders can’t use image loading to get information about your computer or location.

> - Senders can't use the image to set or read cookies in your browser.

> - Gmail checks the images for known harmful software. Sometimes, senders may know whether you've opened an email that has an image. Gmail scans every message for suspicious content. If Gmail thinks that a sender or message is suspicious, images aren’t shown and you’ll be asked if you want to see the images.".

###

Personally, I think this is quite silly, because I routinely disclose my IP address and HTTP headers without considering it particularly sensitive, but I don't want senders to know that their their email messages have been opened.

[0] https://blog.filippo.io/how-the-new-gmail-image-proxy-works-...

[1] https://support.google.com/mail/answer/145919?hl=en-GB

[sildur]

Wouldn't this image rewriting mess with e-mail signing?

[hunter2_]

To validate a signature, the code doing that validation needs direct access to the message prior to any rewriting. I don't think the proxy introduces any barriers to that access, assuming the validation occurs on Gmail servers, as the Gmail interface can present the results of that server-side validation.

If you wanted to validate it yourself instead of trusting Gmail to do it for you, you'd use the "Show original" feature which gives you the original (per its namesake) without any rewriting as well. I assume (but haven't tested) that connecting to your mailbox via IMAP, POP, etc. also causes you to retrieve the original, with the rewriting only coming into play when using the Gmail web interface.

[stjohnswarts]

Yeah most companies don't care about the IP they care that the email was opened by the target/victim and that's what happens even with proxied images.

[sangnoir]

Google proxies the requests, and makes one (and only one) upstream request. This prevents subsequent 'pings' if the user opens the email again later.