[kubuntu-devel] Re: HTML by default in KMail
Scott Kitterman
ubuntu at kitterman.com
Fri Aug 6 18:49:02 BST 2010
On Friday, August 06, 2010 01:20:38 pm Ralph Janke wrote:
> On 08/06/2010 12:59 PM, Scott Kitterman wrote:
> > On Friday, August 06, 2010 10:06:34 am Jonathan Riddell wrote:
> >> On Fri, Aug 06, 2010 at 09:47:24AM -0400, Scott Kitterman wrote:
> >>> I agree with this. Yes, plain text by default may seem a bit old
> >>> fashioned, but HTML by default opens a large number of additional code
> >>> paths to potential exploits (and it appears to be very difficult to
> >>> write secure HTML parsers).
> >>
> >> Nothing that isn't already open through a web browser.
> >>
> >> What are the potential security problems with HTML rendering? I can
> >> imagine some HTML being able to crash the renderer. I can't imagine
> >> it being able to do anything worse. (Javascript, java,<object>s etc
> >> being turned off)
> >
> > I don't know. Just plain HTML is not extraordinarily risky. Upon
> > reflection I think the more important concern with HTML is probably URL
> > obfuscation and users going to sites that are not the ones they expect.
> > Once the URL is clicked, then the browser (with Javascript, etc) comes
> > into play.
> >
> > I'd rather focus on making the click through better than changing the
> > default. It might just be I'm too much of a traditionalist.
> >
> > Scott K
>
> Already the automatic loading of images or other links in the document
> are a problem. A sender can through that basically monitor if and when
> you read an e-mail.
>
Agreed, but that's not what's on the table. There is a separate check for
that and we aren't discussing changing it.
Scott K
More information about the kubuntu-devel
mailing list