On Sat, 2004-09-18 at 09:02 -0700, Miles Libbey wrote:
--- David Woodhouse <dwmw2(_at_)infradead(_dot_)org> wrote:
I don't think so. I find it hard to imagine an attach in which
canonicalisation gives you a way to abuse mail.
Spammers have been attacking spam filter's 'canonicalizations' for
years to hide their content. Sophos has a nice list of different
attacks they have seen over the years
http://www.sophos.com/spaminfo/explained/fieldguide.html
Spammmers will have years and years to figure out how to take advantage
of whatever canonicalization schemes are used. I doubt we'll be able
to accurately predict all the attacks that will appear.
Let's separate canonicalisation and permissiveness. Canonicalisation
means stuff like undoing base64 encoding, converting charsets to UTF-8,
folding whitespace in _headers_ and maybe most of text/html (outside
<PRE>, etc) but not in text/plain.
The bit with allowing the addition of lines -- or at least being able to
tell that the signed part is still valid despite the addition of lines
(I didn't say that/when the recipient had to _allow_ it) -- is
permissiveness, and that's what seems to be needed to allow most of the
attacks in the field guide you reference.
Speaking personally, I'm most concerned about the additions by mailing
lists, and on text/plain MIME parts.
I would be more than happy to allow _no_ permissiveness on text/html
parts. Because an attacker could start with '<-- ' and end with ' -->'
followed by a line or two of their own text, and still have a tiny
percentage of 'addition'.
Anyone who wants us to be permissive on text/html should be prepared to
put forward very good arguments that it cannot be exploited. On
text/plain I think we're a lot safer to allow a few lines added at start
and/or end of the original.
--
dwmw2