Improve transparency and privacy of user email addresses by adding a "Confidential" email type
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Description
The current wording for email addresses added to GitLab accounts states "All emails will be used to identify your commits." While this is understood for general git usage and included as part of the TOS, recent new features such as gitlab-foss#45821 (closed) have highlighted that adding an email to an account makes the profile itself searchable by email.
gitlab-foss#43521 (closed) Made a start at keeping emails private, however, it is not complete, since, as noted on the email settings page "All emails are used to identify commits". This means that emails that are intended to be confidential by use of the provided noreply email, can still be used to search for related accounts by creating a repository with committer emails set to the target emails.
We get a pretty steady stream of HackerOne in GitLab FOSS reports regarding routes that leak emails that are not marked as "Public", so this issue may be the first in a series to find all the places that that emails marked "Private/Not for identifying commits" should be removed.
API endpoints and UI mechanisms that take email addresses as input such only be able to operate on "Public" email addresses. This reduces the effectiveness of phishing campaigns against users by requiring manual work to specifically craft message for targets instead of allowing an automated process for discovering email to account and profile names.
"Confidential email" is being used in this description to not conflict with the concept of the "Private"/no reply email.
Intended users
This affects the privacy of all users of GitLab.com
Proposal
In addition to other types of emails, a "Confidential" email type should be added that is not used to identify commits. This email should not be available to any API, route, or user other than admins.
The first iteration of this proposal is to make sure that the emails are not used to identify commits.
An email can not be set as "Confidential" if it set as public or the commit email.
Permissions and Security
Only the users themselves and admin users should be able to view emails marked as private in any way.
Documentation
The text on the email profile page will need to be updated to note the behavior of "Confidential" email.
The documentation for Private email already implies that other emails are made more private, but may need to be updated to include a step for setting other emails as "Confidential" once the private committer email is configured.
Testing
Some other issues regarding inconsistent behavior of API and other routes that return email addresses may need to be addressed for the proper testing of this change:
- gitlab-foss#53618 (moved) Admin API : "GET /users/:id/emails" is inconsistent w/ documentation
What does success look like, and how can we measure that?
User accounts associated with emails can not be obtained by simple enumeration techniques.
Links / references
- gitlab-foss#45821 (closed)
- GitLab internal only: https://gitlab.zendesk.com/agent/tickets/97139