[Israel.pm] multipart/alternative added

Oron Peled oron at actcom.co.il
Sat May 29 15:09:16 PDT 2010


On Friday, 28 בMay 2010 13:33:01 sawyer x wrote:
> I'm not going to tattoo "text/html" on my head if that's what you're worried
> about. :)
> That is, I'm not married to it, but I do think it's a good idea.

This list is full of technical people, and hardly anyone bothered
mentioning the security implicatoins of HTML mails.

Just few trivial examples:
 * Spying on mail reading -- via web-bugs.
 * Subverting mail fidelity -- you read something today (e.g
   text embedded in jpeg), and tomorrow it is different (the
   image was shown via <img> tag)
 * Increased attack surface of mail messages -- not only the MUA
   security bugs, but also the HTML rendering engine it uses.
   This is a *huge* increase, since browsers are no.1 security
   attack vector in the last 10 years.
 * An HTML message from perl.org.il may look "benign", but contain
   links to malicios content hosted elsewhere (XSS attacks).
 * And we haven't started talking about <script> tag and its
   interesting use cases...
 * And that's without mentioning other "nice" stuff that tend to
   come with HTML (links to all kinds of content types -- flash,
   java, pdf, quicktime music) -- this not only contains vast
   ammounts of security problems of its own, but many times
   brings with it intentional "features" used by proprietary
   vendors (e.g: JS embedded in PDF's for spying on you).

The "factory" default configuration of my MUA (kmail for the last 8 years),
is set to *NOT* render HTML mails. I make sure it stays that way.

And for those who wonder, yes, I know kmail allows me to render HTML
mail partially, without following external links...
But have you read my last points? what about internally attached
content that hides external links? (via JS, or in PDF, etc.)

With the default strict settings, every HTML message shows the
following in its top (boxed in color):
     Note: This is an HTML message. For security reasons, only the raw
           HTML code is shown. If you trust the sender of this message
           then you can activate formatted HTML display for this
           message by clicking [here].

Now trust is a hard stuff. Maybe I trust that no subscriber has any
malicious intent (let's be optimistic) -- But they may still be
careless, or ignorant (or both) and end up sending the wrong
content to the list (FW: something important for perl, read it)

Come on guys (and girles), you are the Israely Perl Mongers!
You should score better than this.

זה לא צריך להיות כל כך קשה, גם אם זה לא מושלם:
foreach (@subscriber) {
  print MAIL "$_: Don't mix English/Code/Hebrew on the same line\n";
  print MAIL "(be nice to people who have inferiour MUA's)\n";
}

Bye,

-- 
Oron Peled                                 Voice: +972-4-8228492
oron at actcom.co.il                  http://users.actcom.co.il/~oron
"In theory, there is no difference between theory and practice.
 In practice, there is."
        -- Yogi Berra


More information about the Perl mailing list