ned(_dot_)freed(_at_)mrochek(_dot_)com wrote:
"All of the security and privacy issues on the Web now relate to
e-mail," said Adam Shostack, director of technology at
Zero-Knowledge Systems, a Montreal-based privacy and security
company. "The shame about this behavior is that it's going on
surreptitiously and people are not given an obvious way to opt
out." [...]
There are multiple ways to parse that statement. One of them is:
mailprobs = mailprobs + webprobs
That's the way the statement was intended to be parsed and it is how I parsed
it. (If you look up the original article in Risks 22.03, as I did before I
first responded, you'll agree.)
I guess I should have also pointed out that Jacob's read of this as "E-mail
major cause of bad security" is incorrect. That mail systems are the root cause
of security problems is neither said nor implied by the article.
which is certainly true for HTML-over-mail,
On the contrary, it is still hyperbole. As I said before, the web has a vast
array of security issues that don't relate to email at all. Attacks against
Web servers. Keeping track of the search terms a given user directly enters
into a search engine. And so on.
esp with mailers that don't treat HTML mail specially.
Of course a mail user agent that simply passes HTML off to a web browser is
vulnerable to the same subset of web privacy and security issues that relate to
HTML viewing. However, a mail user agent can constrain its handling of HTML in
ways that would be completely unacceptable for a web browser to do. And while
broader understanding of and agreement on what constraints on HTML make sense
in the context of email, some clients do a fair job of handling this already.
My only comment is that such a clearly incorrect assessment of the
situation isn't worthy of a response. There are plenty of Web security
and privacy issues that have nothing whatsoever to do with email.
Do they apply to HTML mail?
Only if you have an extremely limited and unrealistic view of the web.
Ned