[plug] email message formats

[Christian]

On Thu, Dec 21, 2000 at 11:27:56AM +0800, Leon Brooks wrote:
 
> It's a case of value for effort. Canning cookies buys you very little 
> extra security for a significant cost in inconvenience. However, the 
> comment about disabling inline attachments is a good one, since in-line 
> HTML can fetch Java and other locally active objects, which in turn are 
> much more likely to pose a security problem than a gross of cookies.

I'm not necessarily sure that disabling inline attachments really has
that much impact.  Your browser won't do anything with an attachment
than it won't do with a web page.  Hence the only difference between
browsing a web page that you don't *really* trust and viewing inline
attachments is that you can be targetted with the latter.  Most attacks
don't happen because people are targetted, they happen because the
person is simply *there*.  The exceptions tend to be where significant
amounts of money etc. are present.  Somehow I think that even Bret's
Amway connection doesn't QUITE count here.

If you disable viewing inline attachments then you end up clicking on
the attachment to view it anyway.  Seems like a small degree of
protection to me.  If an attachment can hurt you then it can do this
regardless of whether you download it from a web page or come across it
in an email.  I'm not all that familiar with the exact behaviour of GUI
mail clients which have this option so if I've missed something here
then please feel free to point it out.

As for cookies, I never said they were a security problem.  They can
certainly be a privacy problem and can be implemented insecurely but
they're not a security problem in and of themselves.