(BIMI is still a tracking pixel in every mail, BTW.)
Previously: <https://news.ycombinator.com/item?id=40873830>, <https://news.ycombinator.com/item?id=32717105>, <https://news.ycombinator.com/item?id=28196403>
> (BIMI is still a tracking pixel in every mail, BTW.)
It doesn’t have to be. Email platforms and clients should have servers in place to fetch logo images and cache them for their users; no direct correlation between users and requests in that case.
Edit: reading one example, the hosted image can be an SVG, so that would not be so heavy to be embedded into the header..
So, all email servers and clients should be rewritten to avoid user tracking. Got it.
This will never happen. If it came even close to happening, BIMI would magically and coincidentally grow a new user-tracking feature.
https://bimigroup.org/announcing-common-mark-certificates/
But that document seems unfinished. It refers to there still being requirements to get a CMC, at at this time it tells you to go refer to a PDF where those requirements are documented. But that PDF is the old VMC documentation.
One of the biggest things people just don't get is that anything cheap and automatic is easily exploitable at scale, and things expensive and manual are much harder to exploit, and generally speaking not worth the cost.
The reason people got the idea the lock icon in the browser meant a site was legitimate is because malicious sites rarely ever paid for a certificate. Now that certificates are free, of course, all phishing sites use Let's Encrypt.
EV and VMC certs are not generally speaking exploited simply because it isn't worth the cost to do so.
Personally VCM is far too expensive for me at this time which is the only reason I haven't gotten one. But I certainly realize that putting a cost barrier to entry makes it less accessible to bad actors.
1. The ancient “X-Face” header: 48×48 black or white pixels: <https://en.wikipedia.org/w/index.php?title=X-Face&oldid=1220...>
2. The “Face” header, from 2005: 48×48 PNG image <https://quimby.gnus.org/circus/face/>
Additionally, platform providers have a huge incentive to cache the logos on their end—otherwise, they'd be required to verify the cryptographic signature every single time the logo were required to be drawn on the screen.
But an example of a non web based email client which provides privacy protections regarding images in email is Apple Mail and its mail privacy protection features.
If even some legitimate businesses balk at the cost of a VMC, your average scammer isn't going to drop that kind of money to get one either, especially since that cost is per-attempt and the approval is somewhat manual and likely involves humans seeing that it is wrong. But Bank of America will and hence the BoA logo on your email is pretty effective proof of legitimacy.
If a thing like BIMI is not widespread, would it even help an average non-tech Joe who won’t even understand the reason behind that checkmark on a logo?
BIMI (and EV certs) should not be considered "for all organizations", but probably something worthwhile for organizations that transact in a lot of money and a lot of personal data.
That being said Apple Mail has supported showing BIMI logos since iOS 16 and macOS Ventura. Do they use caching for doing so when mail privacy protection is enabled as they do for other images? I have not specifically done an in depth dive to determine but what exactly would the motivation be for Apple to bypass the image caching functionality for just this type of images?
For a malicious actor spoofing a combo of SPF + DKIM + DMARC + BIMI won’t be a trivial job.
This is what I feel us tech people have missed about what the old school lock icon used to at least sort of (inaccurately) express when HTTPS was rare and what EV intended to express (although the qualification criteria needs work there).
Not everyone should be eligible for an EV cert, not everyone should be eligible for BIMI/VMC. Some sort of scale and legitimacy and manual approval (think the old school Verified checkmark before Elon bought Twitter) that not everyone qualifies for.