So, where a VMC was equivalent to an EV X.509 certificate, CMC is basically a normal certificate. I guess nobody wanted to buy VMCs, just like with EVs. But the mere existence of CMCs now lowers the value of a BIMI logo; if almost anybody can get a CMC, the logo can not be trusted. Might as well use X-Face, which is free.
(BIMI is still a tracking pixel in every mail, BTW.)
Nobody wanted to buy them because the pricing was just ridiculous. I’m sure as hell not dropping 1.5 grand per year to display a freaking logo next to our mails. Had they been less greedy, this could have actually worked. But the way it is, it’s just a money grab from the same guys that used to sell you overpriced SSL certificates.
> (BIMI is still a tracking pixel in every mail, BTW.)
It doesn’t have to be. Email platforms and clients should have servers in place to fetch logo images and cache them for their users; no direct correlation between users and requests in that case.
To abuse the email system even more, wouldn't it be possible to add a header to the email with a base64 encoded image? I suppose with HiDPI, the image might need to have quite a high resolution. And then someone will find an exploit involving image decoding/displaying.. like one Outlook had years ago while parsing manipulated timestamps.
Edit: reading one example, the hosted image can be an SVG, so that would not be so heavy to be embedded into the header..
> Email platforms and clients should have servers in place to fetch logo images and cache them for their users; no direct correlation between users and requests in that case.
So, all email servers and clients should be rewritten to avoid user tracking. Got it.
This will never happen. If it came even close to happening, BIMI would magically and coincidentally grow a new user-tracking feature.
Coming to think of it… How would you implement user tracking with an image that must be served from a static URL defined in a DNS record and no request parameters to go by? Other than applying heuristics to match the time frame between sending a mail and receiving a request for the logo endpoint, I don't see how that would even work.
Additionally, platform providers have a huge incentive to cache the logos on their end—otherwise, they'd be required to verify the cryptographic signature every single time the logo were required to be drawn on the screen.
Any email provider can track you pretty successfully whether web based or using another protocol such as IMAP. Most email is at best protected by encryption only while in transit after all. For personal email you get to choose your email provider and whether you are ok with them tracking you or trust them not to track you.
But an example of a non web based email client which provides privacy protections regarding images in email is Apple Mail and its mail privacy protection features.
Whether Apple Mail supports BIMI is not really relevant since my original comment was regarding email.platforms supporting caching of images and not BIMI specific. If an email client supoorts caching of images extending that to also include BIMI logos while adding BIMI support is minimal effort.
That being said Apple Mail has supported showing BIMI logos since iOS 16 and macOS Ventura. Do they use caching for doing so when mail privacy protection is enabled as they do for other images? I have not specifically done an in depth dive to determine but what exactly would the motivation be for Apple to bypass the image caching functionality for just this type of images?
But that document seems unfinished. It refers to there still being requirements to get a CMC, at at this time it tells you to go refer to a PDF where those requirements are documented. But that PDF is the old VMC documentation.
While I enjoy Google relaunching EV certs under another name to avoid it was just wrong about claiming they were useless and a bad idea... the cost is the point.
One of the biggest things people just don't get is that anything cheap and automatic is easily exploitable at scale, and things expensive and manual are much harder to exploit, and generally speaking not worth the cost.
The reason people got the idea the lock icon in the browser meant a site was legitimate is because malicious sites rarely ever paid for a certificate. Now that certificates are free, of course, all phishing sites use Let's Encrypt.
EV and VMC certs are not generally speaking exploited simply because it isn't worth the cost to do so.
Now that certificates are free, of course, all phishing sites use Let's Encrypt.
Evaluating a website's legitimacy using SSL should not have been initiated by browser vendors. The messaging was wrong for the non-tech folks.
They do not have anything to do with the site is fake/fraud/malicious. It was just the data-in-transit is safe or not.
That's not my point: My point is that it became a real world tendency because it was pretty accurate: The malicious websites weren't paying for certificates.
If even some legitimate businesses balk at the cost of a VMC, your average scammer isn't going to drop that kind of money to get one either, especially since that cost is per-attempt and the approval is somewhat manual and likely involves humans seeing that it is wrong. But Bank of America will and hence the BoA logo on your email is pretty effective proof of legitimacy.
Of course I understood your larger point on barriers to entry for a malicious actor.
If a thing like BIMI is not widespread, would it even help an average non-tech Joe who won’t even understand the reason behind that checkmark on a logo?
It certainly can. Most people interact with the same organizations time and time again, so any visual indicator something is different can be useful. If you're used to seeing a bank logo on every email from your bank... and then you get an email without that logo... it's just one more visual indicator something is off, and it's more obvious than say... looking at the full email address behind the display name.
BIMI (and EV certs) should not be considered "for all organizations", but probably something worthwhile for organizations that transact in a lot of money and a lot of personal data.
I would argue that would make it worse. I don't think any given site or user needs a personal verified email icon. A big part of the goal here is to highlight legitimate trust. Real people don't need a cryptographic proof, what they want to see is "This is really from the official company Microsoft which you've heard of" and something M1cros0ft registered in a tax haven can't technically request to participate in.
This is what I feel us tech people have missed about what the old school lock icon used to at least sort of (inaccurately) express when HTTPS was rare and what EV intended to express (although the qualification criteria needs work there).
Not everyone should be eligible for an EV cert, not everyone should be eligible for BIMI/VMC. Some sort of scale and legitimacy and manual approval (think the old school Verified checkmark before Elon bought Twitter) that not everyone qualifies for.
Perhaps I'm missing it but where do you actually buy and/or generate a CMC? I can't find any information on it.
Personally VCM is far too expensive for me at this time which is the only reason I haven't gotten one. But I certainly realize that putting a cost barrier to entry makes it less accessible to bad actors.
Emojis are an abomination in email subjects and authors but now you want to deliberately add more colors and corporate branding. Fuck you google. Good thing I say as far away from the web interface as possible. Too bad thunderbird renders emojis in color.
(BIMI is still a tracking pixel in every mail, BTW.)
Previously: <https://news.ycombinator.com/item?id=40873830>, <https://news.ycombinator.com/item?id=32717105>, <https://news.ycombinator.com/item?id=28196403>
reply