HTML by default in KMail
Aurélien Gâteau
aurelien.gateau at canonical.com
Mon Aug 9 09:28:20 BST 2010
On 06/08/2010 12:28, Jonathan Riddell wrote:
>
> At Akademy I queried the current and past KMail maintainers about HTML
> by default in e-mails. They seemed to agree that it was a bit old
> fashioned to be keeping it off and agreed it would be fine to turn it
> on by default (in Kubuntu and upstream). It seems unfriendly to me to
> show a message with most e-mails that the programme is hiding
> something from the user.
>
> KMail has large warnings in it's config box about security problems
> that might magically appear. I can imagine it would help with
> phishing. I could also imagine javascript security problems, although
> I'd hope javascript isn't allowed in Kmail e-mails I could be wrong.
Turning HTML on for *displaying* email is something I have done every
time I introduced someone to KMail. If this option is not on then KMail
is perceived as less powerful than their previous email client.
Therefore I too believe HTML should be by default for *displaying*
emails, as long as loading of external references is disabled. With this
configuration KMail shouldn't end up being more vulnerable than
Evolution, Thunderbird or any web mail.
What does showing email in plain text protects you from?
It does not protect you from the rogue links of a phish email (ie
something like <a href="http://evil.com">google.com</a>): you can't
expect someone trying to abuse you with rogue links to provide a
plain-text version with readable nasty links.
It does not protect you against spam messages phoning home to confirm
your email address is valid. You are protected from this as long as the
"Allow messages lo load external references from the Internet" option is
unchecked.
It does not protect you against messages containing nasty Javascript:
The viewer widget is explicitly created with disabled Javascript, Java
and plugins options [1].
It does protect you against rogue HTML which could exploit a security
hole in your HTML renderer to execute rogue code on your machine. *But*
it only protects you if you are able to detect the email is rogue from
the information provided without reading the message content (ie, sender
and subject).
This kind of attack requires much more technical skills than phishing
(which only requires social skills) and is much less likely to work in a
cross-email client way, so I assume it's not very widespread, if
existing at all, as one would need to write a KMail-specific spam
message for it to work (but IANASE, I Am Not A Security Expert :) )
Aurélien
[1]:
http://websvn.kde.org/branches/KDE/4.4/kdepim/messageviewer/viewer_p.cpp?view=markup
, look for initHtmlWidget, line 1279 at the time of this writing.
More information about the kubuntu-devel
mailing list