PixelBlock – Gmail extension that blocks email open tracking (opens in new tab)

(chrome.google.com)

26 pointsramoq7y ago31 comments

31 comments

Justsignedup7y ago

I thought this is completely pointless nowadays:

- Gmail USED to block images unless you do "allow images"

- Gmail changed to a system where gmail pre-fetches the images and runs them through safety checks.

- Gmail only does this check if you open the email.

- Even if you block the pixel, you only block the gmail cache of it. NOT the original.

Unless I misunderstand.

panarky7y ago

This is easy to test.

You will find images are NOT retrieved by Google's proxy before or after opening the email when you have external images turned off in Gmail.

1) Ensure Gmail is set to "Ask before displaying external images".

2) Send yourself an HTML email with an img tag pointing to a site you control (doesn't even need to be a real image).

3) Check your server log to see if the img url was retrieved.

4) Open the email in Gmail, but don't click "Display images".

5) Check your server log again.

6) In Gmail click "Display images" and check the server log again.

Only when explicitly clicking "Display images" does GoogleImageProxy fetch the image.

Conclusion - don't install an extension that can spy on everything you do. Just ensure external images are not displayed by default.

ramoqOP7y ago

I think the point of the extension is that you can keep images _on_ and not have to worry about people tracking your opens. I would imagine the majority of Gmail users keep images on

mike-cardwell7y ago

Or just use https://www.emailprivacytester.com

dancablam7y ago

Gmail proxies an image so a pixel cannot get the source IP address, user-agent, etc. But it still permits message open detection just fine.

panarky7y ago

> But it still permits message open detection just fine.

This is only true if you allow external images to be displayed by default.

If you set Gmail to ask before displaying external images, then message open detection does not work unless you explicitly tell Gmail to display images on an individual message.

1 more reply

chimeracoder7y ago

> - Gmail USED to block images unless you do "allow images"

Google changed the default settings, but you can re-enable this behavior.

phyzome7y ago

What sort of safety check are you referring to? I've never heard of such a thing.

bahador7y ago

I could very well be wrong but I always thought that if you disable loading pictures by default, that tracking pixels would be blocked as well. Unless you click on "Show Pictures" that is.

phyzome7y ago

Right, that seems to be the real "fix".

(I still can't believe Google turned on remote images by default.)

ericpauley7y ago

This was likely the entire intent of this change, to allow email tracking by default. After all, Google tracks email opens too.

fharper19617y ago

Kinda scary to have a chrome extension that can read all of your email. Is the cure more dangerous than the disease?

chewz7y ago

It ain't so difficult to analyze the code of Chrome Extension [1]. I did (I quite often do this before installing extensions that do not have published source) and as much as you should trust random guy on HN there isn't anything malicious in the code.

On the other hand it is not very effective as the block list is quite limited. 33 entires if I have counted well.

[1] - Check for yourself - https://gist.github.com/chew-z/7b70da3724626ab04cfc9676bee18...

p49k7y ago

Isn’t it a problem that Chrome extensions have been purchased by others who then update the code to add spyware to them? I’ve never been notified about updates to Chrome extensions; they’re quietly updated in the background.

Several examples are mentioned here: https://www.howtogeek.com/188346/why-browser-extensions-can-...

rasz7y ago

Google controls the extension, they can swap a new version under your radar at any moment. Happened to me a couple of times (ImprovedTube for example "upgraded" to remove features I used). Not any more, I keep all the extensions I use as a local unpacked copies.

jessemillar7y ago

Perhaps. Wish it was an extension offered by Google (or a default feature of Gmail/Inbox) instead of a third party.

rapnie7y ago

Maybe it is because I'm on FF and not logged in, but other than the name 'omar.w.qureshi' (I think he submitted this on HN) I don't see any other info other than the 5 sentence privacy policy. I would be hesitant to install such black-box extension. Could OSS this, or is there a reason not to do so?

ramoqOP7y ago

It's actually open source. You can find it on github. Or you can view source yourself.

orastor7y ago

I know gmail does some image caching / proxying.

https://news.ycombinator.com/item?id=6898454

I guess the vector here is when you read an email versus where from / using which device / etc.

rasz7y ago

If you really care about gmail privacy (ha) you should also

    var matches = document.querySelectorAll('a[href*="www.google.com/url?q="]');
    
    // remove all google spying	redirects
    for (var i = 0; i < matches.length; i++)
    {
      if (/^(https?:\/\/(www\.|encrypted\.)?google\.[^\/]*)?\/?url/.test(matches[i])) {
        var match = /[\?&](url|q)=(.+?)&/.exec(matches[i]);
        if (match != null) {
          matches[i].href = unescape(match[2]);
        }
      }
    }

O2F27y ago

Tracking is just one of the many reasons why it should be considered common courtesy to communicate in plain text (and attachments if necessary).

My email based workflow and toolchain has been plaintext only for years and I think I've been better off for it. The recent efail vulnerability just made me shrug. Plain text mail is all around more reliable, more accessible, less obfuscated, more to the point by the nature of the medium, easier to implement [...].

JohnTHaller7y ago

Gmail and every other webmail vendor should block all of these by default. That would be a nice hit to all these "new" drip campaigns (aka personalized spam newsletters).

some_account7y ago

Yeah because Google cares about your privacy....no way would they want to remain friends with the ad industry. No they are YOUR friend. Of course. They don't even charge for their service to billions of people. Truly altruistic company.

some_account7y ago

I'm stunned every time people try to get privacy with Google.

It's Google! I wish I could make you understand but I probably can't.... :(

ramoqOP7y ago

I hope this hits the front page as I feel this is an essential extension for email privacy that many people are unaware of.

kalehrishi7y ago

I don't think having tracking pixel in gmail is a big thing. Almost every modern messaging system such as whatsapp has read receipts. Since gmail has image proxy, it doesn't leak any information. And most modern email client doesn't open remote image unless allowed explicitly.

PS: I have built https://www.mailtag.io/

dancablam7y ago

Love it. Would be great to see as a direct Gmail Add-On instead of a browser extension.

arthurfm7y ago

Could the tracking pixels not be blocked via a uBlock Origin filter list?

ramoqOP7y ago

extremely beneficial extension, you'd be surprised how many marketing emails are tracking when you open the email

ct07y ago

something available for firefox?

j / k navigate · click thread line to collapse

31 comments

Justsignedup7y ago

I thought this is completely pointless nowadays:

- Gmail USED to block images unless you do "allow images"

- Gmail changed to a system where gmail pre-fetches the images and runs them through safety checks.

- Gmail only does this check if you open the email.

- Even if you block the pixel, you only block the gmail cache of it. NOT the original.

Unless I misunderstand.

panarky7y ago

This is easy to test.

You will find images are NOT retrieved by Google's proxy before or after opening the email when you have external images turned off in Gmail.

1) Ensure Gmail is set to "Ask before displaying external images".

2) Send yourself an HTML email with an img tag pointing to a site you control (doesn't even need to be a real image).

3) Check your server log to see if the img url was retrieved.

4) Open the email in Gmail, but don't click "Display images".

5) Check your server log again.

6) In Gmail click "Display images" and check the server log again.

Only when explicitly clicking "Display images" does GoogleImageProxy fetch the image.

Conclusion - don't install an extension that can spy on everything you do. Just ensure external images are not displayed by default.

ramoqOP7y ago

I think the point of the extension is that you can keep images _on_ and not have to worry about people tracking your opens. I would imagine the majority of Gmail users keep images on

mike-cardwell7y ago

Or just use https://www.emailprivacytester.com

dancablam7y ago

Gmail proxies an image so a pixel cannot get the source IP address, user-agent, etc. But it still permits message open detection just fine.

panarky7y ago

> But it still permits message open detection just fine.

This is only true if you allow external images to be displayed by default.

If you set Gmail to ask before displaying external images, then message open detection does not work unless you explicitly tell Gmail to display images on an individual message.

1 more reply

chimeracoder7y ago

> - Gmail USED to block images unless you do "allow images"

Google changed the default settings, but you can re-enable this behavior.

phyzome7y ago

What sort of safety check are you referring to? I've never heard of such a thing.

bahador7y ago

I could very well be wrong but I always thought that if you disable loading pictures by default, that tracking pixels would be blocked as well. Unless you click on "Show Pictures" that is.

phyzome7y ago

Right, that seems to be the real "fix".

(I still can't believe Google turned on remote images by default.)

ericpauley7y ago

This was likely the entire intent of this change, to allow email tracking by default. After all, Google tracks email opens too.

fharper19617y ago

Kinda scary to have a chrome extension that can read all of your email. Is the cure more dangerous than the disease?

chewz7y ago

On the other hand it is not very effective as the block list is quite limited. 33 entires if I have counted well.

[1] - Check for yourself - https://gist.github.com/chew-z/7b70da3724626ab04cfc9676bee18...

p49k7y ago

Several examples are mentioned here: https://www.howtogeek.com/188346/why-browser-extensions-can-...

rasz7y ago

jessemillar7y ago

Perhaps. Wish it was an extension offered by Google (or a default feature of Gmail/Inbox) instead of a third party.

rapnie7y ago

ramoqOP7y ago

It's actually open source. You can find it on github. Or you can view source yourself.

orastor7y ago

I know gmail does some image caching / proxying.

https://news.ycombinator.com/item?id=6898454

I guess the vector here is when you read an email versus where from / using which device / etc.

rasz7y ago

If you really care about gmail privacy (ha) you should also

    var matches = document.querySelectorAll('a[href*="www.google.com/url?q="]');
    
    // remove all google spying	redirects
    for (var i = 0; i < matches.length; i++)
    {
      if (/^(https?:\/\/(www\.|encrypted\.)?google\.[^\/]*)?\/?url/.test(matches[i])) {
        var match = /[\?&](url|q)=(.+?)&/.exec(matches[i]);
        if (match != null) {
          matches[i].href = unescape(match[2]);
        }
      }
    }

O2F27y ago

Tracking is just one of the many reasons why it should be considered common courtesy to communicate in plain text (and attachments if necessary).

JohnTHaller7y ago

Gmail and every other webmail vendor should block all of these by default. That would be a nice hit to all these "new" drip campaigns (aka personalized spam newsletters).

some_account7y ago

I'm stunned every time people try to get privacy with Google.

It's Google! I wish I could make you understand but I probably can't.... :(

ramoqOP7y ago

I hope this hits the front page as I feel this is an essential extension for email privacy that many people are unaware of.

kalehrishi7y ago

PS: I have built https://www.mailtag.io/

dancablam7y ago

Love it. Would be great to see as a direct Gmail Add-On instead of a browser extension.

arthurfm7y ago

Could the tracking pixels not be blocked via a uBlock Origin filter list?

ramoqOP7y ago

extremely beneficial extension, you'd be surprised how many marketing emails are tracking when you open the email

ct07y ago

something available for firefox?

j / k navigate · click thread line to collapse