Gmail 將會提示沒有支援 STARTTLS 的信箱

Gmail 界面將會提示不支援 STARTTLS 的信箱:「Making email safer for you」。

先確認 msa.hinet.net 的 MX record:

;; ANSWER SECTION:
msa.hinet.net.          86174   IN      MX      0 msa-smtp-mx1.hinet.net.
msa.hinet.net.          86174   IN      MX      0 msa-smtp-mx2.hinet.net.

以及不支援 STARTTLS (在 EHLO 後不會出現 STARTTLS 選項):

$ t msa-smtp-mx1.hinet.net 25
Trying 168.95.6.53...
Connected to msa-smtp-mx1.hinet.net.
Escape character is '^]'.
220 msa.hinet.net ESMTP Sendmail 8.14.2/8.14.2; Thu, 11 Feb 2016 04:52:16 +0800 (CST)
EHLO localhost
250-msa.hinet.net Hello 114-32-152-63.HINET-IP.hinet.net [114.32.152.63], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
QUIT
221 2.0.0 msa.hinet.net closing connection
Connection closed by foreign host.

打開 Gmail 在收件人的地方輸入 test@msa.hinet.net 後,就會跳出紅色鎖頭表示不支援 STARTTLS。

在 Gmail 上做 CSS 效果的問題

TechCrunch 上看到的「Gmail, We Need To Talk」這篇裡提到 Gmail 的問題,尤其是 CSS 這塊:

Each Gmail client renders email differently. You may not be aware of this, but each Gmail client has its own set of frustrating quirks. Having to deal with each version of Gmail makes creating email a nail-biting chore:

  • Gmail.com Webmail. Supports <style> but does not support ids and classes.
  • Gmail Webmail for Business. Does not support <style>.
  • Gmail App for iOS. Randomly increases font sizes by 50 percent (no <style>).
  • Gmail App for Android. Randomly ignores container widths (no <style>).
  • Gmail App for Android (for non Gmail.com addresses). Does not support background images in addition to ignoring container widths (no <style>).
  • Inbox by Gmail for Android. Randomly ignores container widths but does so differently than Gmail App for Android (no <style>).
  • Inbox by Gmail for iOS. Does not support <style> but seems to not suffer from as many quirks as other Gmail mobile apps.

這也就可以理解為什麼有時候手機上看起來怪怪的了 XD

Gmail 將會針對沒有加密傳輸收到的信件標示警告

前陣子在「STARTTLS 的不完整性以及大規模監控電子郵件」提到現有的標準無法確保 ESMTP 一定會啟用 STARTTLS。所以 Google 正在跟 M3AAWG 研究標準來保護這類攻擊:

First, we found regions of the Internet actively preventing message encryption by tampering with requests to initiate SSL connections. To mitigate this attack, we are working closely with partners through the industry association M3AAWG to strengthen “opportunistic TLS” using technologies that we pioneered with Chrome to protect websites against interception.

另外一方面,Google 之後也會將未透過 STARTTLS 傳輸的信件標示出來:

To notify our users of potential dangers, we are developing in-product warnings for Gmail users that will display when they receive a message through a non-encrypted connection. These warnings will begin to roll-out in the coming months.

Google 的文章可以在「New Research: Encouraging trends and emerging threats in email security」這邊看到。

我的想像是 DNSSEC + TXT record 標示,不知道會不會走這條...

CNNIC 所發出的 MCS Holdings 發出 Gmail 的 SSL 憑證,攻擊 Gmail 使用者

Google Online Security Blog 來的消息,CNNIC 授權 MCS Holdings 的 Intermediate certificate 被拿來發 www.gmail.com 的憑證:「Maintaining digital certificate security」。

Mozilla 也發出警告:「Revoking Trust in one CNNIC Intermediate Certificate」。


取自「谷歌称CNNIC发布中间人攻击证书

當初有習慣把 CNNIC 的 root certificate 拔掉的人這次不受影響。

Gmail 將會自動讀入圖片顯示...

上個禮拜超熱鬧的消息,Gmail 將會自動讀入圖片顯示:「Images Now Showing」。

在 Support 的「Choose whether to show images」說明裡有提到這個機制是透過 Gmail 的 server 去讀取圖片,所以可以達到這些事情:

  • 發信人將不會知道你現在用的 IP address。
  • 發信人將無法設定 cookie 追蹤。
  • 發信人將無法埋入 malware 或是 virus。

但圖片一直都是發開信率計算很重要的指標,而 Gmail 這一次的行為讓這些發廣告信的廠商暈了...

然後正反兩方的意見當然都有,像是「Gmail blows up e-mail marketing by caching all images on Google servers」這篇的語氣就頗袒護廣告商,最後還以陰謀論的角度來解釋這次行為:

No doubt Google hopes this move pushes marketers to spend less on e-mail and more on Adsense.

下載 Gmail 與 Google Calendar 的資料... (mbox 與 iCalendar 格式)

GmailGoogle Calendar 的資料可以透過 Google Takeout 下載了:「Download a copy of your Gmail and Google Calendar data」。

下載的格式是 mboxiCalendar

所以是一個 10GB+ 的 mbox 嗎... XD

Gmail.js

前幾天看到的「Gmail.js - JavaScript API for Gmail」,這並不是 Google 官方的 JavaScript API,而是給開發瀏覽器套件的人用的 JavaScript API。

甚至有給範例,讓你可以透過 Chrome Console 嘗鮮:

看文件發現比較特別的是提供了 Observe 的功能,可以抓到 Gmail 的事件 :p

前幾天 Gmail 收信延遲的問題...

前幾天 Gmail 可以正常運作,但一直收不到信的問題由官方發公告出來解釋了:「More On Gmail’s Delivery Delays」。

官方宣稱,這次的問題出自於兩個獨立的網路同時掛掉,造成 Gmail 的收信處理能力大幅下降:

The message delivery delays were triggered by a dual network failure. This is a very rare event in which two separate, redundant network paths both stop working at the same time. The two network failures were unrelated, but in combination they reduced Gmail’s capacity to deliver messages to users, and beginning at 5:54 a.m. PST messages started piling up.

最後是十個多小時後完全恢復。