Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Privacy: Remove roundcube version string in header #7731

Closed
Rotzbua opened this issue Nov 20, 2020 · 2 comments
Closed

Privacy: Remove roundcube version string in header #7731

Rotzbua opened this issue Nov 20, 2020 · 2 comments
Labels
C: Core functionality C: Security enhancement
Milestone
1.5-beta

Comments

@Rotzbua
Copy link
Contributor

Rotzbua commented Nov 20, 2020

Why?

It is not required to disclose the exact roundcube version to other recipients. It is an unnecessary information leakage.

Background

Roundcube adds an user-agent metadata header to every mail.
E.g.: User-Agent: Roundcube Webmail/1.4.9

Risks

  • gives external recipients information
  • gives attackers information about the exact version
  • metadata for NSA & Friends

Solutions?

There 3 possible solutions:

  1. Remove the complete version from header.
  2. Remove complete user-agent header.
  3. Just send mayor or minor version.

Compatibility ?

Maybe some mail programs or spam filters use the user-agent header. So it is possible that there will be something broken.
I found nothing on the internet, that the user-agent is used for this purpose, so the risk seems low. Can some spam expert confirm that?

Reference

pr removes version #6369
@alecpl
Copy link
Member

alecpl commented Nov 21, 2020

It is configurable via $config['useragent']. Maybe we should change the default, I'm not sure.

@alecpl alecpl modified the milestones: later, 1.5-beta Nov 21, 2020
alecpl added a commit that referenced this issue Dec 28, 2020
@alecpl
By default do not set the User-Agent header (#7731)
6b88812
@alecpl
Copy link
Member

alecpl commented Dec 28, 2020
edited

Done. I changed the default to null.

@alecpl alecpl closed this as completed Dec 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: Core functionality C: Security enhancement
Projects
None yet
Milestone
1.5-beta
Development

No branches or pull requests
2 participants
@alecpl @Rotzbua