[kubuntu-devel] Re: HTML by default in KMail
Ralph Janke
txwikinger at ubuntu.com
Fri Aug 6 18:20:38 BST 2010
On 08/06/2010 12:59 PM, Scott Kitterman wrote:
> On Friday, August 06, 2010 10:06:34 am Jonathan Riddell wrote:
>
>> On Fri, Aug 06, 2010 at 09:47:24AM -0400, Scott Kitterman wrote:
>>
>>> I agree with this. Yes, plain text by default may seem a bit old
>>> fashioned, but HTML by default opens a large number of additional code
>>> paths to potential exploits (and it appears to be very difficult to
>>> write secure HTML parsers).
>>>
>> Nothing that isn't already open through a web browser.
>>
>> What are the potential security problems with HTML rendering? I can
>> imagine some HTML being able to crash the renderer. I can't imagine
>> it being able to do anything worse. (Javascript, java,<object>s etc
>> being turned off)
>>
> I don't know. Just plain HTML is not extraordinarily risky. Upon reflection I
> think the more important concern with HTML is probably URL obfuscation and
> users going to sites that are not the ones they expect. Once the URL is
> clicked, then the browser (with Javascript, etc) comes into play.
>
> I'd rather focus on making the click through better than changing the default.
> It might just be I'm too much of a traditionalist.
>
> Scott K
>
>
Already the automatic loading of images or other links in the document
are a problem. A sender can through that basically monitor if and when
you read an e-mail.
Ralph (txwikinger)
More information about the kubuntu-devel
mailing list