On Wednesday 01 October 2003 22:02, bear wrote: > No, it is not. You can make a hyperdocument that is completely > self-contained and therefore "text", but that is not how HTML is > normally made. HTML can cause your machine to do things other than > display it, and to that extent it is "code", not text.
A small nit: HTML is, in fact, text. The effects you describe are the result of a client taking certain actions based on the text/html MIME type. That's the reason you use Pine (and I use Kmail). These clients (and others... yay, elm!) don't take unbidden actions to render HTML mail or cause executable attachments to execute. > You can't rely on "saving" an HTML document > and being able to read it years or decades later, because with > hypertext, maybe the part you're interested in (or need for evidence) > isn't even on the page you saved. True, but again, that's a property of HTML. That the HTML document was transmitted through mail is a side issue. It's not that email has been overloaded, through the use of MIME, to carry content other than text/plain. The problem is that certain MUAs have been built to take some default actions based on the MIME types received, and those clients have become (for whatever reason) popular among mail users of a, shall we say, non-technical bent. > The fact that sending HTML (and other code) through SMTP was not > considered a violation of SMTP has allowed a generation of mail > readers to become common that encourage mail viruses, macroviruses, > worms, and other malicious code. If we are interested in security, we > need some kind of protocol where we as a group just draw a line and > say "nothing but text through this port." SMTP is *already* such a protocol. Base-64 encoding (and UUENCODE before it) was designed to address the 7-bit gateway through which email once passed. MIME only describes and encapsulates non-textual content. (the first M originally stood for 'multimedia', not 'multipurpose') Some mail clients have evolved (or been designed *cough*outlook*cough*) to be infection vectors, but that's not the fault of the base transport protocol. It's the result of poor security decisions in the client design process. This is not to demonize MIME, either. Some applications, like PGP signatures, are elegant uses. Much better than the X-PGP-Signature header I was helping develop 10 years ago. There's nothing intrinsically wrong with extending mail to carry arbitrary content. The problem appears when the MUA is able to take some risky action with that content, whether automatically or through unwise user action. Grandma clicks on everything. Mail as a vulnerability is a client issue and a training issue. That said, I also despise HTML mail for all the reasons you describe. But between the September That Never Ended and the release of Mosaic, it's really no surprise that eye candy has become an imperative. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]