(BIMI is still a tracking pixel in every mail, BTW.)
Previously: <https://news.ycombinator.com/item?id=40873830>, <https://news.ycombinator.com/item?id=32717105>, <https://news.ycombinator.com/item?id=28196403>
> (BIMI is still a tracking pixel in every mail, BTW.)
It doesn’t have to be. Email platforms and clients should have servers in place to fetch logo images and cache them for their users; no direct correlation between users and requests in that case.
Edit: reading one example, the hosted image can be an SVG, so that would not be so heavy to be embedded into the header..
So, all email servers and clients should be rewritten to avoid user tracking. Got it.
This will never happen. If it came even close to happening, BIMI would magically and coincidentally grow a new user-tracking feature.
https://bimigroup.org/announcing-common-mark-certificates/
But that document seems unfinished. It refers to there still being requirements to get a CMC, at at this time it tells you to go refer to a PDF where those requirements are documented. But that PDF is the old VMC documentation.
One of the biggest things people just don't get is that anything cheap and automatic is easily exploitable at scale, and things expensive and manual are much harder to exploit, and generally speaking not worth the cost.
The reason people got the idea the lock icon in the browser meant a site was legitimate is because malicious sites rarely ever paid for a certificate. Now that certificates are free, of course, all phishing sites use Let's Encrypt.
EV and VMC certs are not generally speaking exploited simply because it isn't worth the cost to do so.
Personally VCM is far too expensive for me at this time which is the only reason I haven't gotten one. But I certainly realize that putting a cost barrier to entry makes it less accessible to bad actors.
