[kubuntu-devel] Re: HTML by default in KMail

Scott Kitterman ubuntu at kitterman.com
Fri Aug 6 18:49:02 BST 2010


On Friday, August 06, 2010 01:20:38 pm Ralph Janke wrote:
> On 08/06/2010 12:59 PM, Scott Kitterman wrote:
> > On Friday, August 06, 2010 10:06:34 am Jonathan Riddell wrote:
> >> On Fri, Aug 06, 2010 at 09:47:24AM -0400, Scott Kitterman wrote:
> >>> I agree with this.  Yes, plain text by default may seem a bit old
> >>> fashioned, but HTML by default opens a large number of additional code
> >>> paths to potential exploits (and it appears to be very difficult to
> >>> write secure HTML parsers).
> >> 
> >> Nothing that isn't already open through a web browser.
> >> 
> >> What are the potential security problems with HTML rendering?  I can
> >> imagine some HTML being able to crash the renderer.  I can't imagine
> >> it being able to do anything worse.  (Javascript, java,<object>s etc
> >> being turned off)
> > 
> > I don't know.  Just plain HTML is not extraordinarily risky.  Upon
> > reflection I think the more important concern with HTML is probably URL
> > obfuscation and users going to sites that are not the ones they expect. 
> > Once the URL is clicked, then the browser (with Javascript, etc) comes
> > into play.
> > 
> > I'd rather focus on making the click through better than changing the
> > default. It might just be I'm too much of a traditionalist.
> > 
> > Scott K
> 
> Already the automatic loading of images or other links in the document
> are a problem. A sender can through that basically monitor if and when
> you read an e-mail.
> 

Agreed, but that's not what's on the table.  There is a separate check for 
that and we aren't discussing changing it.

Scott K



More information about the kubuntu-devel mailing list