New E-Mail Vulnerability - Trust Your Neighbor? 186
Anonymous Coward writes: "According to this article in The New York Times (free registration required), a trick enables someone to essentially bug an e-mail message so that the spy would be privy to any comments that a recipient might add as the message is forwarded to others or sent back and forth. The vulnerability could facilitate the harvesting of e-mail addresses. Widely used e-mail programs that are vulnerable to the exploit (because they enable JavaScript) include Microsoft Outlook, Outlook Express and Netscape 6." A snippet from the article: "The potential for such e-mail spying was first discovered by Carl Voth, an engineer in British Columbia. 'What bothers me is that in this case, my vulnerability is a function of what you do,' Mr. Voth said. 'I can be careful, I can take every precaution, I can turn off JavaScript, and it doesn't matter. If my neighbor isn't diligent and I send him an e-mail, I'm still vulnerable.'" "The Privacy Foundation, an educational and research organization based in Denver, plans to publicize and demonstrate the technique today."
Wrong! (Score:3)
It's a way to confirm the reading of a message.
How about "Plain Text" mode in Eudora (and equiv) (Score:2)
Further, my primary mail program (Eudora 4.22) is set to "send plain text only" and "don't ask". If I reply to or forward an HTML e-mail, all HTML is stripped out *before* sending (I tested it with an array of HTML spam "from the wild")
This setting should be basic netiquette (for email programs so equipped - and the feature should be *expected* for e-mail programs) Alas, in a world where even the carriage return is considered a nicety, I don't hold out much hope.
If you don't can't send javascript, the recipient can't carelessly mishandle it.
{I welcome any INFORMED, TESTED observations on the deficiencies of this method. One can never be too paranoid)
Don't forget to disable HTML viewing of e-mail (Warning: often the provided check-box alone is not sufficient), and be stingy about what programs are permitted to access the usual HTTP ports. These are virtually painless security procedures. I can't recall ever being particularly inconvenienced by them.
Re:Just don't use HTML Mail! (Score:1)
sometimes the benifits of HTML mail are important.
Such as? Particularly when HTML these days also means scripting languages, embedded objects, etc.
Re:Another reason to stick to the RFC (Score:2)
There are already mail clients (Gnus for one) which parse informal markup - _underlining_, *bold*, /italic/ - delimited sigs and URLs in plain text messages without any of the bandwidth or security implications.
You can have your cake and eat it :)
javascript is not needed, html will do (Score:1)
WTF!! RTFA! (Score:1)
This idiot obviously didn't read the article and then got modded up again for being a gimboid!
Re:Minor Nitpick (Score:2)
Javascript has been standardised by ECMA for some time. There have been many security issues, but it's not clear that alternative technologies for doing the same things would have been safer.
Re:Security models? (Score:1)
The difference between standing on the edge and falling off is a single step.
Enabling Javascript is like putting on a blindfold and running at full speed.
Why plain text and copy are best (Score:3)
That said, just as with web gnats/bugs, invisible GIFs, and suchlike, there are many ways to avoid this:
1. Use PINE. Who needs graphics anyway?
2. Turn off all Java, Javascript, etc and view all emails as Text. Then use the Copy and Paste functions to forward only the From:, Subject:, and Date: fields in the email along with the body of the text.
3. If you want to forward pictures or attachments, save them to a file, and convert any DOC or other embedded files to a non-embedded format such as ASCII Text. Then create an email and attach those new files instead.
4. Hunt down and launch boycotts and similar actions against the creators of these things. Show no mercy.
5. Send a copy of all such spam to all your legislators - municipal, county, state, federal, president/etc. Send it with the attachments and javascript. Include your name and adress in the forward so the spam software on their end will not put it in the spam box, and ask them what they will do about it. And send a copy to uce@ftc.gov for fun.
Security models? (Score:5)
One of the good things about client-side Java (rather than Javascript) is that it runs in a sandbox with a well defined security model that doesn't allow, for instance, content to be uploaded from the client machine unless you specifically say that that's OK by jumping through various hoops.
The post refers to two problems: firstly, Javascript making a connection from a client machine when the client user doesn't want that to happen, and secondly, mailreaders allow modifications (such as adding content) to an HTML document, but do not distinguishing between the original copy and the modified one. (By warning of embedded Javascript, or content stripping, or whatever).
The problem is more to do with client browsers having a crap security model rather than the idea of having HTML or Javascript in an email in itself.
I guess that most people who read or post to slashdot are happy with being able to use markups in their posts so they can italicise or embolden things or add links. HTML in text is a Good Thing here, are emails that different?
Active content is another step along the way, but I can't see that it is a Bad Thing, if the security model is good. I don't know enough about Javascript to comment about whether this is possible. Any comments?
Re:Another reason to stick to the RFC (Score:2)
Re:Active vs passive content in emails (Score:1)
----------
Trust Your Neighbor? (Score:1)
Re:Minor Nitpick (Score:2)
Only Microsoft, and WinIE in particular, are deliberately avoiding proper support for the standard DOM. But the subset of the W3C DOM that works in IE 5.5 is actually quite large and very useful.
Re:Security (Score:1)
Re:No free reg (Score:1)
Simple Fix: Edit sendmail.cf... (Score:3)
Here's a simple fix. Edit sendmail.cf.
Make a filter:
Any e-mail that comes to you with X-Mailer: Microsoft Outlook Express 5.50.4133.2400 or similar in the headers, gets relayed to /dev/null.
Soon, the Windows proles will realize that sending to you is fruitless and will eventually go away.
Okay, fine, it's not practical, but it would still be fun to do.
Or, you could use Outlook's many vulnerabilities to break into your boss's computer and change his Windows startup tune to this [216.138.194.68] in order to prove the point.
He doesn't use Outcast any more. I consider that to be a victory.
Re:Enable Javascript for Mail and News (Score:1)
My question is, why in the world would does the browser have it turned on by default? The end-user should have to go out of his way to enable JavaScript in email, not the other way around.
---
Re:Just don't use HTML Mail! (Score:1)
Although a great deal of the HTML features are utterly useless in a E-mail (e.g. scripting languages and JavaScript), sometimes the benifits of HTML mail are important.
Re:Our organization (Score:1)
Javascript =! Email (Score:1)
If I send the key for my front door in a transparent envelope, my doorlock is safe, the problem is my stupidity.
we're always at the mercy of neighbours (Score:2)
rr
Another reason to stick to the RFC (Score:3)
*THIS* type of vunerability is exactly one of the reasons that you should not be using HTML for email, particular with the email clients that use an embedded browser window to display the information. Because not only do you as a malicious email sender gain access to the bugs that arise from the email client itself (eg the ability to email everyone in the address book from a script), but bugs inherit from the browser.
The email RFC says to stick to plain text for all messages, and if you do that, the only bugs that you will encounter will be those that are from the mailers, and it will be very hard to trigger security problems such as this. You might complain about losing formatting and such, but that's also why the Rich Text format was developed; it carries enough of the HTML formatting that some need to emphasis email but none of the deadweight that can trigger security and privacy violations. Unfortunately, RTF wasn't highly accepted and after MS did a nice 'embrace and extend' of it, it was pretty much worthless.
Enable Javascript for Mail and News (Score:3)
I've been using that as long as I can remember, mainly to prevent Usenet spam posts from launching browser windows and such. I guess now there's an even better reason for it.
Of course, for mail I use pine and tkrat in console and X respectively, so I dont really care much about this.
Re:That's Why..... (Score:2)
I enjoy the soft glow of phosphorescent dots building the font's character.
I suspect you'd be happy in pre-reform Russia, where there was none of that annoying advertising or any bright colors on the street.
I suspect you live in Redmond, where Bill and his partners would never advertise you with any bright colors or loud music.
The Linux command prompt is a hairshirt of denial.
Whatever cranks your tractor.
there is a way to stop this.. (Score:1)
Re:I agree (Score:1)
Anyway, to somewhat come back on topic, showing of features course shouldn't include anything that constitute a security problem. In this case, I'd argue that the ideal case would have been a requester poping up first time the program is run, quickly informing you about the availability about javascript and its advantages and risks, and asking you if you still wanted it.
The REAL question, IMHO, is of course 'why on earth would you want javascript in mail?', but that would be a troll, I guess.
Re:Solution (Score:1)
David Martin, University of Denver
Re:Active vs passive content in emails (Score:1)
However, I do miss one thing about 'rich mail' - the ability to use tables. Frequently a table expresses data best, but I'm not going to take the time to hand-build it in vi.
Re:Minor Nitpick (Score:2)
Netscape Mail down since Sunday (Score:1)
Anyone here work for Netscape? Their web-based mail [netscape.com] has been down since sometime yesterday afternoon. Once you log in, you are forwarded to a page [netscape.com] that claims they're upgrading their system.
Since most web sites handle planned upgrades w/o a 24 hour downtime, does this mean they shut the system down to fix the JavaScript bug? (And even if so, how long does it take to add code to parse out <SCRIPT> tags anyway?)
Friends... (Score:1)
Re:Active vs passive content in emails (Score:1)
Active content doesn't enhance the e-mail experience for most users, nor does it increase their productivity to any measurable extent. For most people, what is important is the actual *content*, the presentation is in most real-world cases a secondary, trivial issue.
Your assertion that "people don't want any extra time or hassle in their emails" has some validity. It's unfortunately in direct opposition to your main argument, however. HTML-based e-mail is larger, slower, potentially a hassle across a heterogeneous array of e-mail clients, and subject to security issues that simply aren't present in standard text-only e-mail.
On the other hand, your assertion that "(business types) are not concerned about privacy issues" is simply naive at best. It's a cutthroat world and business users have things like trade secrets and confidential information to worry about. And I would suspect that most people, in a business environment or otherwise, would like to believe that their e-mail correspondance is private. I'd even go so far as to bet that the majority of users actually *believe* their e-mail is private, and would be upset to find out otherwise.
Disabling HTML in e-mails is not the solution to anything, but your original message was so patently silly that it merited a response. People should simply be better informed about their privacy and the implications of using e-mail. E-mail clients should be proactive about incorporating encryption and other privacy-related methods into themselves to make it easier for people to protect themselves. PGP and its ilk are too much work and hassle for the average user.
omega_rob
Re:Our organization (Score:1)
Aha! He was aiming for "malady" and missed the 'd'. Sometimes the smallest things cause the biggest problems of comprehension.
Re:Another reason to stick to the RFC (Score:1)
--
"take the red pill and you stay in wonderland and I'll show you how deep the rabbit hole goes"
That's Why..... (Score:1)
No free reg (Score:2)
Re:Minor Nitpick (Score:1)
You're right of course, that was a typo. Javascript is pure evil, while Java is only 90% evil.
--
Re:That's Why..... (Score:2)
That's why I can't see any HTML email. Oh sure, you could just ignore everyone that uses it, sorta like buying a Beta VCR and ignoring all those movies that come out on VHS.
Bah.
I use Pine on my Linux boxen and Eudora on my Windows boxen.
My main (and favorite) VCR is a Sony SL-HF500 Beta Hi-Fi.
I rent the new movies on DVD. If I like 'em, I toss a new cassette into the Beta, and hit record. ('Course, they're for personal use only, they may get two viewings before they hit the bulk-eraser.)
Cool thing about Beta, to liken it to e-mail clients, is that it's immune to video virii like Macrovision.
Security (Score:2)
Matt
ASCII Ribbon Campaign - Say NO to HTML in email (Score:3)
\ /
X ASCII Ribbon Campaign - Say NO to HTML in email
/ \
Originally created in Brazil by Tony de Marco
Better viewed in plain text
Re:AOL not affected? (Score:2)
Re:That's Why..... (Score:3)
I believe that any email that passes through webmail, or has html stripped by some email program like Eudora will be innoculated.
Add this to the list of things that web mail programs will have to check for though....
Text/Enriched (Score:2)
The few features of HTML which are actually useful in email are properly used by selecting the Text/Enriched MIME format, see RFC1896. [landfield.com]
Some mail gateways discard HTML before forwarding messages - more of them should.
Careful, you may be commiting a Felony [dmca] (Score:2)
Does the DMCA not currently state that by violating an access control measure, or publishing information to violate an access control measure that you are commiting a felony and may be subject to jail time and large fines?
You might want to be careful about being so helpful in the future. Let this be a lesson to all of us. Do not use such links for in doing them, you may commit a crime.
-- This batch of insanity brought to you from the letter C and your favorite federal government.
Re:Security models? (Score:2)
Surely the problem is with your "neighbour" who can forward anything he likes to whosoever he likes, not with the "technology" at all?
This is what GPG is about: you have a trust model that you can use to pin folks down more responsibly to what they send where, and when you no longer trust someone as much as before, you have the means to say so - making the incentive for them not to do nasty things to your private mails. In that regard, this is nothing new - pass on, nothing to see here.
~Tim
--
Re:Another reason to stick to the RFC (Score:2)
Why do you, the sender, need to know that I read your e-mail, much less be able to insert an arbitrary message body into that read receipt? You don't! It's not HTML/DOM/CSS support that's a problem here, it's the original designers that put a clear invasion of privacy into their mail protocol. E-mail was designed to mimic memoranda, and the parallel is pretty good -- but it isn't perfect. For my part, I'd rather that e-mail clients didn't ever send rr's; that would have been better design. If I want you to know that I read your mail, I'll respond, thank you very much.
HTML e-mail is pervasive because the bulk of users find it useful. Just because you and I don't doesn't make it less useful to them.
This much has always been true... (Score:2)
This much has always been true in ANY private communication. The point of failure will always be what steps the recipient takes/doesn't take to protect that information. In order to communicate with another humna being, this risk is inherent.
Singing "Paranoia may destroy yaaa..."
Dancing Babies and other Trojan Horses... (Score:2)
You don't need some technological trick to harvest emails. Just up a web page with an inane joke, animated gif, etc. and include a button that says, "Email to a Friend!". Voila! You've just harvested the email addresses of everyone who received an email from anyone who though the web page was even faintly amusing.
The only defence, until people start treating other peoples emails with more respect, is to keep two accounts. I personally only give out my work address, except to close and technically aware friends, at least then I get paid to read spam...
Active Content Has Its Uses (Score:2)
I think that HTML has its place in the email world, whether we like it or not. At work our help desk has to respond to emails from other internal departments where they are having trouble with something. And anyone who's tried to help out a friend who doesn't know too much about computers should realize that its incredibly hard to use the phone or even a text email to convey how to do things.
Even the syntax Start -> Settings -> Control Panel -> Display Properties confuses most of them. So the solution that works is to put screenshots to illustrate how to do it. There really isn't any more elegant way short of physically finding the caller and working at his/her desk.
So agreed, we open up the security can of worms when we allow HTML. Perhaps there are solutions... non-HTML ways? Or only allowing internal email html to access resources (images) on the internal network? But many workplaces have important uses for the extra features with HTML, so instead of choosing the easy way out, (abolish HTML) perhaps we can find a better solution, if only out of necessity.
Educate your users! (Score:2)
As you acknowledge, "a great deal of the HTML features are utterly useless in a E-mail." So why not educate others of this fact, instead of chopping it down to a black-and-white issue of all HTML or none at all.
Most users are not stupid, merely ignorant of some details. There is a difference, and much of this ignorance is due to techies that can't clearly express themselves.
Re:Another reason to stick to the RFC (Score:2)
The email RFC says to stick to plain text for all messages, and if you do that, the only bugs that you will encounter will be those that are from the mailers, and it will be very hard to trigger security problems such as this. You might complain about losing formatting and such, but that's also why the Rich Text format was developed
Alternativly there is markup of the human readable kind. e.g. *bold* _underline*, etc. Which an hald decent program can understand.
Re:Minor Nitpick (Score:2)
Absolutely correct. But the point is that they both blow goats when implemented in email clients. As Beavis and Butthead point out - "You can't polish a turd."
Actually, they both blow goats in web sites too, but that's not relevant to the bit about turd-polishing or lusers who don't know the difference between a web browser and an email client ;)
Re:Another reason to stick to the RFC (Score:4)
Let's say, in my HTML email with your client, I sent: <IMG SRC="mysecret.server.com/cgi/tracker.pl" HEIGHT=1 WIDTH=1> Where in the tracker.pl script, I just query the HTTP environment variables to tell what host the request came from and another other juicy details I might get, then return a 1x1 GIF image. There's no Javascript, and I don't need you to click on anything -- I just need you to open it and I can get information.
HTML email is still very dangerous, and should be avoided.
RFC1896 (Score:2)
I agree with you this is a bug not a feature, however, if you were not prepared to offer a non-buggy way to make the users who expect this happy, that might legitimately have earned you such an epithet.
Face it, the typical e-mail user these days does expect some formatting capabilities. There is a way to do this without diving into html-hell. See this. [landfield.com] The Text/Enriched MIME format was designed to provide formatting capabilities that many users desire without the never-ending problems entailed by using HTML out of place. The makers of Pegasus Mail have taken a very usable approach to satisfy users desires with the minimal messiness on the other end - HTML messages incoming can be parsed internally with a minimal module that only understand the most commonly used and innocous tags, handed off to an external browser for parsing, or simply stripped to text. Formatted messages are normally sent using Text/Enriched, RTF is also available as an option (very useful if you know the recipient to be on a windows box.) So the pmail users can receive these annoying things and read them fine, but when they forward/reply they don't perpetuate the madness.
Re:Failure of non-HTML text formatting... (Score:2)
A Primary design criteria is that the results should be human readable. e.g. formatting with hard returns and short tags...
Possible solution (Score:2)
I'm seriously plan to start using it Real Soon Now(TM), but getting rid of the current ones (and redoing all the subscriptions etc etc) will be a PITA. Yeah, I'm lazy. Sue me.
Re:It's going to get worse (Score:2)
Re:Wrong! RTFA! (Score:2)
Who labelled the parent of this message insightful? RTFA!
Easy fix... (Score:2)
Old News (Score:2)
http://www.privacyfoundation.org/education/webbug
Re:Security models? (Score:2)
Re:Another reason to stick to the RFC (Score:2)
Re:Security models? (Score:2)
Yeees, except that the Internet's a dangerous place and you have to accept that horrible people will try to do horrible things. So, trying to enforce accountability and honesty is a good thing, but you also have to protect yourself with appropriate software.
Re:Another reason to stick to the RFC (Score:2)
Re:Careful, you may be commiting a Felony [dmca] (Score:2)
Information must be Free - Knowledge comes at a price, that of eternal vigilance, plus a quarter for a phone call.
Re:Another reason to stick to the RFC (Score:2)
Re:Enable Javascript for Mail and News (Score:2)
The annoying thing is that you have to jump through lots of hoops to do so (set Outlook as "Restricted Sites Zone", disable everything - don't forget that awful ActiveX - and then not turn on defaults again). Whoever designed this stuff should be permanently barred from the industry.
Re:Enable Javascript for Mail and News (Score:2)
There are certain risks with your information, and as soon as you give that information to ANYONE, you are subject to their sensiblities.
An email address that no one knows is nothing...
Delete the Javascript in your reply (Score:2)
Your neighbor could, of course, copy your message into another message with the Javascript.
Trust Your Neigbor? (Score:2)
Minor Nitpick (Score:4)
Javascript isn't Java, they aren't even related in any way. Java is the architecture-neutral, object-oriented, portable, distributed, robust and secure programming language created by Sun Microsystems that can be used to create applets or standalone applications. Javascript is a scripting language originally designed for embedding in browsers which was created by Netscape in a braindead attempt to win the browser wars which instead fragmented the HTML and brought major insecurity to the web.
Finally I doubt that any email clients are actually Java enabled (i.e. can launch applets, etc).
Grabel's Law
Re:Minor Nitpick (Score:2)
Java may be used in the applet framework, and that may have been part of the early vision of Java but that's now just a sideline to server-side Java, where the ability to build large scale apps without the syntactic complexity of C++ lets you push out business logic with fewer worries about internals.
In general though, the languages are often perceived as a combination of syntax, general usage characteristics, and standardized/available APIs. Java is incredibly different from JavaScript in all of these ways, and the association with "the web" is an artifact of one particular use of Java.
Re:Another reason to stick to the RFC (Score:2)
Perhaps all us text based mail people should start enclosing our mails in HTML flash tags...
Re:Minor Nitpick (Score:2)
The point is that a standard that you can't assume support for is a fairly ineffective standard - within a year of so, I think the standard will be pretty much accepted, or at least I hope so. Better to make people download an up-to-date, standards-compliant browser than to have to code 4 different versions of your site.
Of course, the problem is that e-commerce sites can't afford to take that kind of approach. But non-profit sites, general interest sites, etc. can. If they stick to standards compliance, they will drive most people to use standards compliant browsers. And once the market-share of DOM compliant browsers approaches 80% or so, people will stop coding shit for those old nasty browsers.
Email tracking (Score:2)
Heh, this I find interesting. I remember swareing up and down that getting a virus through email was imposible once, to.
So, does this means..... (Score:5)
Re:That's Why..... (Score:3)
--
Re:Another reason to stick to the RFC (Score:2)
> I've yet to see any specific standard for HTML
> email.
Then reread the MIME RFCs.
> do you send it as an attachment? as the message?
> with the plain text version of message?
MIME allows all three. Sending your intended message body as an attachment would be confusing and I don't know why you'd want to do that. That leaves you with the choice of whether you want to send HTML only, or whether you want to send in both formats and let the recipient choose. For the former, you use "Content-Type: text/html" for the message body, and for the latter you use "Content-Type: multipart/alternative" with "text/html" and "text/plain" subparts.
> even two html-award email clients may view HTML
> differently
This is a feature. The HTML should be rendered according to the recipient's preferences. This is actually a great feature of HTML --- I'm sick of reading email wrapped to the sender's screen width instead of my screen width.
> If you have to send something else besides text,
> MIME attachments are the right and RFC'd way to
> go.
You seem to be unaware that MIME lets you choose types for the body of the message too, including options such as "multipart/alternative" that let you provide the same content in different formats. Better reread the RFCs.
Java isn't Javascript (Score:4)
Java is rather secure as can be seen by reading any of the numerous [securingjava.com] articles [securingjava.com] on the web about it [uct.ac.za]. Javascript on the other hand is a disaster which was foisted on us by Netscape and excarberated by Microsoft.
PS: You do realize that the NY Times article [nytimes.com] is discussing a Javascript exploit and not a Java one, right?
Grabel's Law
Re:Minor Nitpick (Score:2)
But of course, these are about the only similarites involved. Not too surprising, that is enough to confuse most people.
I hate netscape engineers (or was it marketers) for coming up with the name javascript, if they had called it anything else, most people wouldn't have this problem.
Re:Another reason to stick to the RFC (Score:2)
Failure of non-HTML text formatting... (Score:2)
Text/enriched seems to cover this (RFC 1896), but that is Eudora's failed attempt.
I would look for most mailers to move to where they get rid of image-fetching and JavaScript.
Re:Another reason to stick to the RFC (Score:2)
But to blame this on HTML is mistaken. HTML is just a language allowing you to mark up paragraphs, headings, lists and so on. The problem comes from those who are implementing HTML readers and making them automatically execute fragments of code and automatically download images which are linked to.
Re:Failure of non-HTML text formatting... (Score:2)
Re:Active Content Has Its Uses (Score:2)
The uses I can think of are SPAM - and teenage entertainment.
As far as advertising goes, it would be better so send a person to the legitimate company webpage. Then we can contact the service provider, and get their account cancelled.
As far as teenage entertainment, I suppose there is no accounting for tastes, and I can tolerate occasional emails with fluttering hearts and excessive cuteness from my little sister. (it's family after all)
In a business context, there is a need to get sales types more clued in. I have heard more war stories of sales types getting sent full fize presentation files as attachments in email while on the road on a flaky dial-up, never mind the clients that receive a flash website in their email. There has to be a better solution for that kind of stuff.
Re:Another reason to stick to the RFC (Score:3)
HTML email may or may not be a good idea, but don't try invoking the RFCs to stamp it out, because they're not on your side.
Re:That's Why..... (Score:2)
In true open source style, the bug was fixed pretty quickly and recent versions are, AFAIK, safe.
--
Re:That's Why..... (Score:2)
Our organization (Score:2)
----
"I can be careful, I'm still vulnerable." (Score:4)
Active vs passive content in emails (Score:3)
This is going to further fuel the debate over whether or not email and news posting should consist of active (JavaScript, DHTML and so on) or passive (plain text, HTML) content. I suppose really it depends on what sort of person you are.
Whilst technically you can convey whatever information you want through the use of plain text (maybe using some *emphasis*) and attachments, for many this is a solution which is less convenient for them - it requires more clicks or keypresses to access, and doesn't present the information in quite such an integrated manner. And in the business world the phrase "time equals money" has been given the status of a law, with companies paying out huge sums of cash to time management consultants and the like. These people don't want any extra time or hassle in their emails, not when they're receiving well over a hundred every day.
For business types active content and embedded files mean more productivity and an easier email experiance. They're not concerned about privacy issues, and if they are then well, it's the job of the IT guys, right? So this sort of bug is inevitable - either you cripple active content - somthing that's too late to do - or you try and provide rock solid security - a challenge people seem only too willing to take on.
It all depends on a) your willingness to expose yourself to risk, and b) your desire for presentation and convenience. Seeing as the web has moved from text-based to graphics-based in the majority, I think the future of email is going to be the same, whether we like it or not.
Desensitized (Score:2)
Re:Delete the Javascript in your reply (Score:2)
Someone should hack this into Mozilla right away.
Re:Security (Score:3)
The lesson is that active documents are a bad idea, unless they have extremely well thought out security infrastructures. Does anyone have pointers to such infrastructures?
Let me also ask my standard question that I've been asking since I first heard of web-bugs: how come there isn't a standard for sending out self contained html document clusters -- several linked pages, with all the graphics and files they need to be viewed? You could then use the standard "you are about to view and insecure page" when you click on any external links they might have.
the point (Score:4)
Re:Old News - October 5, 1998 (Score:2)
http://www.geocities.com/ResearchTriangle/Facility /8332/reaper-exploit-release.html [geocities.com]
Re:Our organization (Score:2)
Re:That's Why..... (Score:2)
Re:That's Why..... (Score:2)
I use pine. You have my email address. Now try it.