You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is not required to disclose the exact roundcube version to other recipients. It is an unnecessary information leakage.
Background
Roundcube adds an user-agent metadata header to every mail.
E.g.: User-Agent: Roundcube Webmail/1.4.9
Risks
gives external recipients information
gives attackers information about the exact version
metadata for NSA & Friends
Solutions?
There 3 possible solutions:
Remove the complete version from header.
Remove complete user-agent header.
Just send mayor or minor version.
Compatibility ?
Maybe some mail programs or spam filters use the user-agent header. So it is possible that there will be something broken.
I found nothing on the internet, that the user-agent is used for this purpose, so the risk seems low. Can some spam expert confirm that?
Why?
It is not required to disclose the exact roundcube version to other recipients. It is an unnecessary information leakage.
Background
Roundcube adds an
user-agent
metadata header to every mail.E.g.:
User-Agent: Roundcube Webmail/1.4.9
Risks
Solutions?
There 3 possible solutions:
Compatibility ?
Maybe some mail programs or spam filters use the
user-agent
header. So it is possible that there will be something broken.I found nothing on the internet, that the
user-agent
is used for this purpose, so the risk seems low. Can some spam expert confirm that?Reference
pr removes version #6369
The text was updated successfully, but these errors were encountered: