[4215] in WWW Security List Archive
Re[2]: Return Receipts and Security
daemon@ATHENA.MIT.EDU (Adam Drobnis)
Thu Jan 30 19:30:55 1997
Date: 30 Jan 1997 13:55:48 -0500
From: "Adam Drobnis" <Adam.Drobnis@bankerstrust.com>
To: www-security <www-security@ns2.rutgers.edu> (Return requested) (Receipt notification requested)
cc: Pat_Noziska <Pat_Noziska@gatekeeper.atlas.com> (Return requested) (Receipt notification requested)
Errors-To: owner-www-security@ns2.rutgers.edu
Good Afternoon,
I agree with Pat regarding the return receipt being delivered more for
notification that the server received the message verses the actual recipient
opening the message, however; does the return receipt offer too much
information regarding the inner workings of the systems at the final
destination?
For instance, one of the return receipts I was looking over (after reading
this message), gives me very detailed information regarding what type of
systems are operating at that particular company, and what exact route was
taken to get from point A to point B. If I knew more than I do now, wouldn't I
be able to use that information in a manner that was unethical?
Why doesn't the system who receives the mail, simply state that the message
was delivered. Period.? I have come across two (today actually), that did
just that. But, the rest, give me more information than is necessary. Which,
to me (although I haven't quite figured out how), could lead to a security risk.
I am in constant study of new materials on all subjects, and the system that
my corporation uses, I believe, returns all of the same type of information?
So, how paranoid am I?
ADAM :)
-------------------------------------------------------------------------------------------------------------
Point well taken, but I would contend that your assessment falls under the
umbrella of privacy. It also assumes that the return receipt method is "Return
receipt on READ" as is done by , for example, cc:Mail or Microsoft Mail. Others
(mostly UNIX mail hosts) simply provide *delivery notification*, meaning "The
mail got there, but has not necessarily been read by the recipient." I think
this is is primary objective of most "return receipt" requests; the sender
simply wants a warm fuzzy that the mail arrived safely (something you can't get
from SnailMail without paying a premium).
So I still can't see how "delivery notification" can compromise security. I'd
love to hear from anyone as to why they'd disagree ...
Pat
