HTML by default in KMail
Jussi Schultink
jussi01 at ubuntu.com
Mon Aug 9 09:42:15 BST 2010
2010/8/9 Aurélien Gâteau <aurelien.gateau at canonical.com>:
> On 06/08/2010 12:28, Jonathan Riddell wrote:
>>
>> At Akademy I queried the current and past KMail maintainers about HTML
>> by default in e-mails. They seemed to agree that it was a bit old
>> fashioned to be keeping it off and agreed it would be fine to turn it
>> on by default (in Kubuntu and upstream). It seems unfriendly to me to
>> show a message with most e-mails that the programme is hiding
>> something from the user.
>>
>> KMail has large warnings in it's config box about security problems
>> that might magically appear. I can imagine it would help with
>> phishing. I could also imagine javascript security problems, although
>> I'd hope javascript isn't allowed in Kmail e-mails I could be wrong.
>
> Turning HTML on for *displaying* email is something I have done every
> time I introduced someone to KMail. If this option is not on then KMail
> is perceived as less powerful than their previous email client.
> Therefore I too believe HTML should be by default for *displaying*
> emails, as long as loading of external references is disabled. With this
> configuration KMail shouldn't end up being more vulnerable than
> Evolution, Thunderbird or any web mail.
>
> What does showing email in plain text protects you from?
>
> It does not protect you from the rogue links of a phish email (ie
> something like <a href="http://evil.com">google.com</a>): you can't
> expect someone trying to abuse you with rogue links to provide a
> plain-text version with readable nasty links.
>
> It does not protect you against spam messages phoning home to confirm
> your email address is valid. You are protected from this as long as the
> "Allow messages lo load external references from the Internet" option is
> unchecked.
>
> It does not protect you against messages containing nasty Javascript:
> The viewer widget is explicitly created with disabled Javascript, Java
> and plugins options [1].
>
> It does protect you against rogue HTML which could exploit a security
> hole in your HTML renderer to execute rogue code on your machine. *But*
> it only protects you if you are able to detect the email is rogue from
> the information provided without reading the message content (ie, sender
> and subject).
> This kind of attack requires much more technical skills than phishing
> (which only requires social skills) and is much less likely to work in a
> cross-email client way, so I assume it's not very widespread, if
> existing at all, as one would need to write a KMail-specific spam
> message for it to work (but IANASE, I Am Not A Security Expert :) )
>
I agree 100% with Aurélien here, and his arguments are what I would
have said, if I was a little more eloquent :)
Jussi.
> Aurélien
>
> [1]:
> http://websvn.kde.org/branches/KDE/4.4/kdepim/messageviewer/viewer_p.cpp?view=markup
> , look for initHtmlWidget, line 1279 at the time of this writing.
>
> --
> kubuntu-devel mailing list
> kubuntu-devel at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-devel
>
More information about the kubuntu-devel
mailing list