Ken Hornstein writes:
Respectfully ... the vulnerability with EFAIL was NOT that people downloaded
stuff via HTTP.
I suppose I shouldn't say that *was* the vulnerability; but if mail
clients didn't fetch URLs embedded in the mail by default, EFAIL would
not have been possible.
To the larger point ... I do not think there is any fundamental
difference between being emailed a text/plain part and fetching it via
HTTP; they both are coming across the wild Internet, and I think this
applies to any content. The only possible disadvantage I can think of
Here are a few more:
- It leaks the IP address of my mail client simply by reading an email.
(Sending email leaks the IP of my SMTP client, which I'm not keen
on either, but I already expect *sending* email to be leaky.)
- Curl's user agent contains a version number (could allow OS
identification, or targeting of vulnerable curl versions).
- Fetching http content is subject to man-in-the-middle attacks.
- It can be used to poke intranets (http://192.168.x.y/admin.php?...)
I don't think a niche feature with these disadvantages is a desirable
default. Other mail clients like GMail block images for similar reasons.
--
Anthony J. Bentley
--
nmh-workers
https://lists.nongnu.org/mailman/listinfo/nmh-workers