Web lists-archives.com

Re: Claws-mail - which plugin for html mails?




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Jun 27, 2018 at 02:47:17PM -0700, Patrick Bartek wrote:
> On Wed, 27 Jun 2018 22:19:53 +0200
> Aldo Maggi <aldo.maggi@xxxxxxxx> wrote:
> 
> > It is now more than one year I have to manually  send html content to
> > a browser to see it

[...]

> I checked around the last time you posted this query.  Couldn't
> find it [...]

> I'm sure that "security problem" has been fixed. That was from when
> Wheezy was Stable.

To be fair, HTML mails dont "have" this or that "security problem", they
are a *constant source* of security problems. Be it that they use links
that auto-resolve (yes, you can disable loading images, and most sensible
MUAs do it, but what about CSS? Do you know what other resources HTML is
set to load?).

For one recent example on how HTML mail can subvert (S-MIME) encryption,
see efail [1] (and no, don't follow EFF's recommendation quoted there
to disable PGP -- better disable HTML).

The biggest problem (apart from its sheer complexity) is that HTML is
a moving target: soon it won't be HTML without Javascript. Me? I don't
want my mail user agent executing programs sent by some random spammer,
thankyouverymuch.

Cheers

[1] https://arstechnica.com/information-technology/2018/05/decade-old-efail-attack-can-decrypt-previously-obtained-encrypted-e-mails/

- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAls0gkcACgkQBcgs9XrR2kZWMACfbZRSQtidhrjCHXMdkTJDvq3s
NlgAnArXEipedrlOcZonvIddiT7ECYnY
=K7jn
-----END PGP SIGNATURE-----