| ▲ | crazygringo 2 hours ago |
| What do you mean it's personalized? It's an anonymous identifier token specific only to that email. Like I said, even with HTTPS everyone in the cafeteria theoretically knows you're connecting to HBSC as well. So I don't see the difference. |
|
| ▲ | cryptonector 2 hours ago | parent | next [-] |
| You _think_ it's anonymous. |
|
| ▲ | sharperguy 2 hours ago | parent | prev | next [-] |
| They know that you likely read some email from HSBC and if you happen to read the same one again they will know it was the same one. |
| |
| ▲ | crazygringo 2 hours ago | parent [-] | | Right. But even over HTTPS it's not rocket science to figure out that connecting to www.email1.hsbc.co.uk pretty strongly suggests you've opened an e-mail with an image. And the number of times you request the same URL tells someone... what exactly? Because HTTPS still tells people the number of times you access any URL on a domain. | | |
| ▲ | awesome_dude 2 hours ago | parent [-] | | Worst case scenario is the HTTP pixel request tells attackers that there is a verification chat happening. HTTPS the attackers know a conversation is happening, but no idea what But, I personally think the threat is being overblown (I am happy to be corrected though) |
|
|
|
| ▲ | danaris an hour ago | parent | prev [-] |
| What on earth makes you think it's anonymous? It's trivial to encode each tracking pixel with a personalized hash of some sort linking it to the intended recipient of that particular email. This is...just how tracking pixels work. |
| |
| ▲ | crazygringo an hour ago | parent [-] | | Right. The hash is anonymous to anyone without access to the internal database of hashes at HSBC. That's how tracking pixels usually work. Sniffing the HTTP connection isn't giving you any way to de-anonymize the recipient. It's a hash, not a long-term identifier. |
|
