Reliance on Microsoft called risk to U.S. security
lists at notatla.org.uk
lists at notatla.org.uk
Thu Oct 2 03:58:41 EDT 2003
From: bear <bear at sonic.net>
> Heh. You looked at my mail headers, didn't you? Yes, I use pine -
> primarily *because* of that property. It treats all incoming messages
> as text rather than live code.
BUGTRAQ in the last 3 years lists over 80 mails on pine - including
reference to this recently:
http://www.idefense.com/advisory/09.10.03.txt
which also appears in candidates on cve.mitre.org.
(Mitre seem to take unreasonable time in converting candidates to
definite problems unless I'm misunderstanding their website.)
> [HTML mail] can cause your machine, specifically, to make network
> connections to get graphics, style sheets, etc, and will not display
That could include web bugs for spammers. I agree it's ridiculous to
read mail in a browser but a conventional MUA has risks too.
I write all mail to disk and view it with my favourite text editor.
This is convenient with practice. Now I only want MUAs for sending
mail (it's worth it to get the correct references in my reply headers).
I use this script on one of my accounts where I accept HTML mail
(reluctantly from a hotmail user).
http://www.notatla.org.uk/SOFTWARE/text_lover_mail_filter.plx
The HTML conversion is done by lynx (confined by SubDomain).
This practice can result in running "mimencode -u" and "metamail -w"
on a few things. It's not that common for a non-text message to get
past my procmail rules and have me choose to read it.
This is all pretty simple but certainly not mass-market. I must order a
"told you so" rubber stamp for when my monocultural acquaintances get hacked.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list