Chuq Von Rospach <[EMAIL PROTECTED]> wrote: > Yup. But I think it's safe to assume that any user reading HTML email also > is reading HTML off of web sites, and if they're willing to accept those > risks by going to web sites, the risks are no different from HTML-enabled > mail lists. It is not safe to assume that users who receive HTML email are necessarily going to be reading it with the SAME software they use to browse the Web. HTML-smart email clients frequently include their own renderers, or embed controls from specific browsers that may not be the user's choice for her or his own Web surfing. This means that any security measures taken by the user (or his/her net helper) to encourage safe Web browsing, e.g. filtering proxies, Java/Javascript limits, cookie control, etc, may not be in effect when the emailed HTML is displayed. The potential (and possibly undisclosed) need to duplicate security measures across packages lowers security and increases risk. It is also not safe to assume that a user surfing the Web and a user opening the Inbox are going to be comparably vigilant about side effects and security. One is the result of active curiosity, the other can come as a complete surprise amid the plain-text minutiae of the day. > I don't see the need to be MORE secure than other things they > accept as standard usage of the net -- I do see the need to be AS secure, > and to be as secure as I can be without gutting functionality. Zero risk > systems generally have little gain -- it's like investments. If you're > completely risk-averse, you'll never get rich or go broke. There is also the difference between what, in general, ought to be "allowed" (whatever that means) for email between individuals, versus what we, as list managers with communities to protect and develop, ought to want and install. I believe that in the vast majority of communities, members' interests are best served by remaining conservative on the listware angle. An unhealthy emphasis on whiz-bang functionality places geek pride above topic-centered clarity and comfort, and for the average list with a purpose for existing, that's not great news.
