----- Original Message -----
From: "Ted Lemon" <Ted(_dot_)Lemon(_at_)nominum(_dot_)com>
To: "t.p." <daedulus(_at_)btconnect(_dot_)com>
Cc: "Richard Barnes" <rlb(_at_)ipv(_dot_)sx>; "Peter Saint-Andre"
<stpeter(_at_)stpeter(_dot_)im>; <ietf(_at_)ietf(_dot_)org>
Sent: Tuesday, September 10, 2013 2:03 PM
On Sep 10, 2013, at 4:41 AM, t.p. <daedulus(_at_)btconnect(_dot_)com> wrote:
for reasons of
security, of course; html has far too many attack vectors to allow it
to
be processed in e-mail
If that's true, why is it safe for you to use HTML in a web browser?
Is it because you feel that the HTTP trust model is safer? Are you
trying to avoid attacks via spam? If the former, you are probably
mistaken. If the latter, it seems to me that PGP-signed messages would
help with this, and that you ought to switch to a non-broken MUA.
<tp>
Ted
A URI in a plain text e-mail means what it says; a URI in <a ... /> in
html can display a perfectly innocent name while linking me to an evil
website, a much used tactic. (If my MUA promised never to follow a
link, then I would let it process html).
With a web browser, at least I am myself choosing to click on the link,
I can easily view the underlying html if I am doubtful (possible, but
not so easy with an MUA), I can see the address in the browser address
bar and kill it if it goes where I do not want it to. It is the user
interface of the MUA to the html that is inadequate, browsers do it
better.
But increasingly, I find web sites becoming evil, perhaps when I am
following a link from an e-mail posted to an IETF list to access
background information and then find https links being set up from my
browser to sites that I do not wish to have any truck with (e.g.
twitter, facebook), presumably in order to take clandestinely details of
me in order to build up a profile of me for some nefarious purpose.
So increasingly, I do not trust html in web sites either.
Tom Petch
</tp>
Your assumption about HTML email is particularly worrisome because it is
similar to an assumption people frequently make that NATs and firewalls
keep them safe because unsolicited incoming connections are dropped.
This is of course not true, because it's not that difficult to get you
to make an outgoing connection to an address that leads to an attack
against your browser.
It's certainly easier to attack you by sending you spam, and prohibiting
HTML in email does protect you from attacks via HTML flaws by spammers.
But you pay a pretty heavy price for that protection, and it's one that
most email users would not consider paying, so by doing this you are
essentially deciding not to eat our dogfood.
If we IETFers do this sort of thing habitually, we wind up living in a
security context that most users do not live in, and wind up designing
protocols that really don't address the needs of most users. This is
Very Bad.