On Friday, 28 בMay 2010 13:33:01 sawyer x wrote:
> I'm not going to tattoo "text/html" on my head if that's what you're worried
> about. :)
> That is, I'm not married to it, but I do think it's a good idea.
This list is full of technical people, and hardly anyone bothered
mentioning the security implicatoins of HTML mails.
Just few trivial examples:
* Spying on mail reading -- via web-bugs.
* Subverting mail fidelity -- you read something today (e.g
text embedded in jpeg), and tomorrow it is different (the
image was shown via <img> tag)
* Increased attack surface of mail messages -- not only the MUA
security bugs, but also the HTML rendering engine it uses.
This is a *huge* increase, since browsers are no.1 security
attack vector in the last 10 years.
* An HTML message from perl.org.il may look "benign", but contain
links to malicios content hosted elsewhere (XSS attacks).
* And we haven't started talking about <script> tag and its
interesting use cases...
* And that's without mentioning other "nice" stuff that tend to
come with HTML (links to all kinds of content types -- flash,
java, pdf, quicktime music) -- this not only contains vast
ammounts of security problems of its own, but many times
brings with it intentional "features" used by proprietary
vendors (e.g: JS embedded in PDF's for spying on you).
The "factory" default configuration of my MUA (kmail for the last 8 years),
is set to *NOT* render HTML mails. I make sure it stays that way.
And for those who wonder, yes, I know kmail allows me to render HTML
mail partially, without following external links...
But have you read my last points? what about internally attached
content that hides external links? (via JS, or in PDF, etc.)
With the default strict settings, every HTML message shows the
following in its top (boxed in color):
Note: This is an HTML message. For security reasons, only the raw
HTML code is shown. If you trust the sender of this message
then you can activate formatted HTML display for this
message by clicking [here].
Now trust is a hard stuff. Maybe I trust that no subscriber has any
malicious intent (let's be optimistic) -- But they may still be
careless, or ignorant (or both) and end up sending the wrong
content to the list (FW: something important for perl, read it)
Come on guys (and girles), you are the Israely Perl Mongers!
You should score better than this.
זה לא צריך להיות כל כך קשה, גם אם זה לא מושלם:
foreach (@subscriber) {
print MAIL "$_: Don't mix English/Code/Hebrew on the same line\n";
print MAIL "(be nice to people who have inferiour MUA's)\n";
}
Bye,
--
Oron Peled Voice: +972-4-8228492
o...@actcom.co.il http://users.actcom.co.il/~oron
"In theory, there is no difference between theory and practice.
In practice, there is."
-- Yogi Berra
_______________________________________________
Perl mailing list
Perl@perl.org.il
http://mail.perl.org.il/mailman/listinfo/perl
