Privacy and Security Issues with Fetching Remote Resources

The identity icon selection dialog presents you with options for using a custom image for an identity, including images from remote sources.

Network Identity Manager uses WinHTTP to fetch resources via HTTP with these settings:

• The user-agent string is (currently) set to Network Identity Manager.
• Cookies are disabled.
• Automatic authentication is disabled.
• SSL is disabled. Only plain HTTP connections are allowed.

These settings are intended to minimize the set of features that are used and to avoid unexpected exposure of information. Fetching a remote resource through Network Identity Manager is similar to fetching a resource through any web browser and has similar associated risks.

Details about specifc methods that are available for specifying remote resources are given below:

• Fetching an image from a URL
• Fetching a favicon from a domain
• Fetching an icon from Gravatar.com

Fetching an image from a URL

When invoked, Network Identity Manager will attempt to fetch an image file from the specified URL using an HTTP GET request.

Fetching a Favicon from a domain

When invoked, Network Identity Manager will attempt to fetch the Favicon associated with the given domain or any parent domains. First, the Favicon for the given domain will be queried. If a Favicon is not found, then the Favicon for the www subdomain of the domain will be queried. If an icon is still not found, then the parent domains will be queried in the same manner until there is only one components left in the domain name.

For example: if the Favicon for FOO.BAR.EXAMPLE.COM is being requested the following sequence of events will occur.

1. An HTTP GET request for /favicon.ico will be issued to host FOO.BAR.EXAMPLE.COM.
2. Failing which, an HTTP GET request for /favicon.ico will be issued to host WWW.FOO.BAR.EXAMPLE.COM.
3. Failing which, an HTTP GET request for /favicon.ico will be issued to host BAR.EXAMPLE.COM.
4. Failing which, an HTTP GET request for /favicon.ico will be issued to host WWW.BAR.EXAMPLE.COM.
5. Failing which, an HTTP GET request for /favicon.ico will be issued to host EXAMPLE.COM.
6. Failing which, an HTTP GET request for /favicon.ico will be issued to host WWW.EXAMPLE.COM.

This method is officially discouraged for fetching Favicons by the W3C as seen here. However it is used as an interim measure until full support for Favicons is implemented.

Fetching an icon from Gravatar.com

Please visit Gravatar.com for details about the Gravatar service and their Privacy Policy and the Terms of Service. The information in this document only applies to how Network Identity Manager uses the Gravatar service.

It is assumed that the images downloaded by Network Identity Manager using Gravatar.com are only used by the application for the purpose of identifying one or more identities.

When an email address is specified for the purpose of fetching the image associated with it on Gravatar.com, Network Identity Manager assembles a URL in accordance with the documentation and fetches 64x64 pixel Jpeg image. If there is no image associated with that email address, then the operation will fail. No default or autogenerated images will be used in thise case. Network Identity Manager does not attempt to validate the email address.

Network Identity Manager, MIT nor Secure-Endpoints are associated with Gravatar.com or Automattic.com.