From: Lillian Komlossy <Lillian(_at_)dmnews(_dot_)com>
While what you say is true - meaning an all-text restriction on your email
browser will prevent
"dangerous goods" to be downloaded - it also takes away functionality. We
have to find a way to
be able to use html based email but restrict it from - say running scripts,
writing cookies, issuing queries, etc... Until that happens, you're right -
html based email
is like a runaway train. We have to invent the "brakes" now.
Never mind the other reasons why HTML based email is considered an
abomination by many who understand the issues. What you want is
self-contradictory. What good is HTML based email if it cannot run
scripts or even contain links to other HTML content? Once you restrict
HTML based email enough to be safe, why bother with anything more than
text and perhaps simple pictures? It's not only programs in email that
are dangerous, but also HTTP references. Recall the recent disclosures
concerning the use of unique to the target URL's of invisible pages in
email and web sites instead of HTTP cookies.
You want to run your freight train down a long pass with an 8% grade at
100 miles per hour, and not need to worry about it running away. Maybe
someday there will be some other solution, but today the only tactics
that let breaks control a train in such circumstances begin with going far
less than 100 mph.
You simply cannot have unbridled user-friendliness and security against
bad guys. No matter what the salescritters and pointy-haired claim,
security and convenience will always be at odds.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com