
Show HN: GIF Tracking Protection – Prevent privacy-invasive 1x1 GIFs - 0x01h
https://github.com/0x01h/gif-tracking-protection
======
upofadown
This only seems to work against tracking information in parameters. You can
put the tracking info into the root URL. For a particularly egregious example
of this see the EFAIL attack where entire decrypted messages were being sent
back to the attackers in the root URL:

* [https://efail.de/](https://efail.de/)

I doubt that HTML emails can ever be made secure in general. You are likely
vunerable to a wide range of attacks and leaks if you allow images to load in
your email no matter how much you attempt to sanitise things.

------
Tagbert
Some email clients try to block tracking by not download images unless the
user requests images for a specific email.

\- MS Outlook does this. Google gmail does this for some clients.

Other email clients automatically download all image references in email to a
proxy server hosted by the email provider. If the user enables images for an
email, the images are downloaded from the proxy server, not the sending
server. This means that download logs are useless for tracking.

\- Google gmail does this for some email clients.

~~~
petercooper
_This means that download logs are useless for tracking._

Depends what sort of tracking you mean. Google still only proxies the image
download if you open the mail, so it can be used to track opens (which Gmail
_likes_ because they want people to auto delete non-engaging subscribers). You
can't track the end user's location or IP though, which may be enough for
most.

