On Sun, 11 Feb 2001 00:15:35 -0800
Chuq Von Rospach <[EMAIL PROTECTED]> wrote:
> On 2/10/01 11:18 PM, "J C Lawrence" <[EMAIL PROTECTED]> wrote:
>> There are two particular dangers with HTML email (if assuming no
>> other attachment types):
>>
>> 1) Privacy loss, for instance via a bug image referenced by the
>> HTML on a foreign site (ie they get to track who reads the
>> message, where, etc).
>>
>> 2) The ability for the HTML to invoke executable content stored
>> on remote systems (eg a mislabelled link).
> Yup. But I think it's safe to assume that any user reading HTML
> email also is reading HTML off of web sites, and if they're
> willing to accept those risks by going to web sites, the risks are
> no different from HTML-enabled mail lists.
Not quite:
1) The are likely to use different tools for web browsing and
email,
2) They know about cookies and using cookies for tracking. Web
bugs are invisible and largely unknown.
3) Web bugs (and cookies) don't travel with an URL when you send
it to a friend.
> I don't see the need to be MORE secure than other things they
> accept as standard usage of the net -- I do see the need to be AS
> secure, and to be as secure as I can be without gutting
> functionality.
Playing with guns in my back yard is one thing. Playing with guns
in a public crowded square is another. Lists would seem to fall
into the public square side of the equation.
> So I don't want to be 100% risk-averse -- I think it's important
> to manage that risk, but I don't see that it's an advantage to try
> to avoid things where stuff MIGHT happen just because it might,
> unless the results are catastrophic (and viruses are by definition
> catastrophic. Pixel-trackers are annoying, but also a general fact
> of life today, and not catastrophic or destructive).
There's also a question of consent. What do the members of your
list consent to when they participate in your list, even if only by
lurking? I've been rathr explicit about this in regard to my lists
in that I promise never to reveal any whether or not any particular
address is or is not subscribed to the list. That alone pretty well
kicks HTML and any sort of executable content in the head.
--
J C Lawrence [EMAIL PROTECTED]
---------(*) http://www.kanga.nu/~claw/
--=| A man is as sane as he is dangerous to his environment |=--
