[4195] in WWW Security List Archive
Re[2]: Return Receipts and Security
daemon@ATHENA.MIT.EDU (Pat_Noziska@gatekeeper.atlas.com)
Thu Jan 30 05:53:24 1997
From: Pat_Noziska@gatekeeper.atlas.com
Date: Thu, 30 Jan 97 01:08:17 -0800
To: <dwm@xpasc.com>
Cc: <www-security@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
Point well taken, but I would contend that your assessment falls under the
umbrella of privacy. It also assumes that the return receipt method is "Return
receipt on READ" as is done by , for example, cc:Mail or Microsoft Mail. Others
(mostly UNIX mail hosts) simply provide *delivery notification*, meaning "The
mail got there, but has not necessarily been read by the recipient." I think
this is is primary objective of most "return receipt" requests; the sender
simply wants a warm fuzzy that the mail arrived safely (something you can't get
from SnailMail without paying a premium).
So I still can't see how "delivery notification" can compromise security. I'd
love to hear from anyone as to why they'd disagree ...
Pat
______________________________ Reply Separator _________________________________
Subject: Re: Return Receipts and Security
Author: "David W. Morris" <dwm@xpasc.com> at internet
Date: 1/31/97 9:00 PM
On Tue, 28 Jan 1997 Pat_Noziska@gatekeeper.atlas.com wrote:
>
> Would there be ANY security-related reason (other than privacy) for a mail
host
> to NOT issue return receipt (or delivery notification) messages on incoming
> mail messages that request it using a "Return-Receipt-To: " header?
For sure the recipient should have control over whether the receipt is
sent. That should cover the privacy issue.
Beyond that, I would think a receipt would be a kind of probe response
which would reveal information about the recipient's current activity
with the system. Since we don't know anything more about your actual
implementation design, its hard to be sure, but consider:
Mail sent with reply requested.
No reply received.
Cracker assumes addressee is not logged and proceeds to crack their way
in as the addressee.
Having some level of assurance a user one wanted to surrogate for isn't
around would reduce the probability of timely detection.
Dave Morris
