Security Updates
Gravatar privacy proxy
Previously we made direct use of the Gravatar service (operated by WordPress) to provide avatars for subscribers. Doing this leaks IP addresses of the subscribers to a US-based entity without explicit permission, and we don’t like that, so we implemented a proxy service that means that subscriber avatars are served via our own servers, in a way that means that Gravatar is never contacted by subscribers directly, and their IPs are never revealed. This was the only remaining external service that could handle subscriber data, so now we can be certain that data is shared with nobody except Smartmessages account holders, who are the data controllers for subscriber data. Yes – we’re now entirely free of tracking cookies and scripts.
Enhanced Content Security Policy
We have strengthened our content security policy (a technical feature in HTTP) substantially. This mainly applies to the smm.im domain that we use for open & click tracking, and for serving images. The new configuration now means browsers will reject anything served from this domain that’s not an image. This helps us stay off malware scanners – if someone should ever manage to upload, for example, a malicious javascript file that ends up served from this domain, browsers will refuse to load it. Our CSP has been tightened on the rest of our sites too, and that may interfere with things that rely on privacy contraventions, such as Facebook “like” buttons. We also no longer leak data through HTTP referrer headers – some other ESPs had serious issues with this, but we were never exposed to that. This will not affect mailings as normal HTTP links continue to work just fine.
You’re welcome to test our domains at any time, using tools like securityheaders.com and Qualys SSL labs. Should you find a security issue that you would like to report to us privately, please use our standard security.txt file. Of course you should run the same tests on our competition too!