[kubuntu-devel] Re: HTML by default in KMail

Ralph Janke txwikinger at ubuntu.com
Fri Aug 6 18:20:38 BST 2010

On 08/06/2010 12:59 PM, Scott Kitterman wrote:
> On Friday, August 06, 2010 10:06:34 am Jonathan Riddell wrote:
>> On Fri, Aug 06, 2010 at 09:47:24AM -0400, Scott Kitterman wrote:
>>> I agree with this.  Yes, plain text by default may seem a bit old
>>> fashioned, but HTML by default opens a large number of additional code
>>> paths to potential exploits (and it appears to be very difficult to
>>> write secure HTML parsers).
>> Nothing that isn't already open through a web browser.
>> What are the potential security problems with HTML rendering?  I can
>> imagine some HTML being able to crash the renderer.  I can't imagine
>> it being able to do anything worse.  (Javascript, java,<object>s etc
>> being turned off)
> I don't know.  Just plain HTML is not extraordinarily risky.  Upon reflection I
> think the more important concern with HTML is probably URL obfuscation and
> users going to sites that are not the ones they expect.  Once the URL is
> clicked, then the browser (with Javascript, etc) comes into play.
> I'd rather focus on making the click through better than changing the default.
> It might just be I'm too much of a traditionalist.
> Scott K
Already the automatic loading of images or other links in the document 
are a problem. A sender can through that basically monitor if and when 
you read an e-mail.

Ralph (txwikinger)

More information about the kubuntu-devel mailing list