Re: Claws-mail - which plugin for html mails?
- Date: Thu, 28 Jun 2018 08:37:59 +0200
- From: <tomas@xxxxxxxxxx>
- Subject: Re: Claws-mail - which plugin for html mails?
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, Jun 27, 2018 at 02:47:17PM -0700, Patrick Bartek wrote:
> On Wed, 27 Jun 2018 22:19:53 +0200
> Aldo Maggi <aldo.maggi@xxxxxxxx> wrote:
> > It is now more than one year I have to manually send html content to
> > a browser to see it
> I checked around the last time you posted this query. Couldn't
> find it [...]
> I'm sure that "security problem" has been fixed. That was from when
> Wheezy was Stable.
To be fair, HTML mails dont "have" this or that "security problem", they
are a *constant source* of security problems. Be it that they use links
that auto-resolve (yes, you can disable loading images, and most sensible
MUAs do it, but what about CSS? Do you know what other resources HTML is
set to load?).
For one recent example on how HTML mail can subvert (S-MIME) encryption,
see efail  (and no, don't follow EFF's recommendation quoted there
to disable PGP -- better disable HTML).
The biggest problem (apart from its sheer complexity) is that HTML is
want my mail user agent executing programs sent by some random spammer,
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----