Better security and privacy through image proxying

Rob Norris – 16 September 2014

Today we rolled out a feature that enhances your privacy and security when you use FastMail: all off-site images embedded in emails are now proxied through our servers. Instead of your web browser going out to the wider internet to fetch an image in an email, it will request it securely from our servers and we'll fetch the image on your behalf. (The original email is never modified, so if you forward it or view it in an IMAP client, it will appear exactly as we received it.)

When your browser requests an image (or any other page) it sends all sorts of information to the web server, including your internet address (which reveals your rough location), the type and version of browser you're using, and sometimes even tracking cookies and other information that can help identify you. While these things are a fundamental part of how the web works and are difficult to avoid, we know that many of our users don't like this information to be sent without their knowledge. That's why we've always had protection against this by requiring you to explicitly request that images be loaded for an email.

Now though, we've gone one step further. When an image is loaded, the request goes only to our servers, which then go and request the original image. The request comes from the server's address, with a generic browser type and version and no information at all that identifies the original email or the user requesting it. The image server remains in the dark about where the request came from. That's a big plus for your privacy.

The other advantage of our new approach is that it removes the possibility of mixed-content warnings appearing in your browser while reading your email. Every web user has had it drilled into them for years that they should look for the padlock icon to know if the site they're looking at is secure:

happy-proxy

But when you view an email with an image served from an insecure site (as most image hosting sites are), the browser changes the padlock icon to look like this:

sad-proxy

Since all images now come via our secure servers, the padlock will now always remain intact, giving you the confidence that no one is intercepting your data.

Edit: Clarified that the image server cannot see where the request came from. It may still be able to determine who the request came (ie email address validation) if the image URL has some kind of tracking data in it. Its still a marked improvement on not proxying at all, as it can't be directly correlated with an internet address or other tracking data.