AWS Lightsail makes it (too) easy to fire up a new server, install an application, and let it loose on the Internet.  You have to learn somewhere and that's as good as any place but let's do a little housecleaning on the default apache2.conf file.  

If we scan our stock apache server, we get some errors:

+ Server leaks inodes via ETags, header found with file /, fields: 0xb3
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

In my last post, I talked about a mail tracking service which uses essentially the same technique that an anti-phishing service would use.  You embed a hosted object on a server and when the message is opened, the object will render.  When the object is rendered some function on the other side is looking for that callback. 

The setup --

We need a single white pixel hosted on a webserver with a valid SSL certificate.  With Let’s Encrypt, we can add a free SSL certificate to any server.  You could try it without the SSL certificate but I think the call out to HTTP would cause a problem.  I haven’t gone through the steps of testing this without HTTP, it was more of an exercise of how quickly as easily this could be to setup something functional.

I have a vendor that uses a service, mailtrack.io, which embeds a single white pixel into email messages for tracking purposes.  When the message is opened, unbeknownst to you, your mail client will render the white pixel and then I assume mailtrack.io informs the sender that the message was read.   Pretty simple actually and clever.  But I’m watching outbound traffic and I saw the outbound connection to mailtrack.io.  When I opened the source of the email, I noticed the line calling the hosted pixel which clued me into what was happening.