[plug] email message formats

Bret Busby bret at clearsol.iinet.net.au
Sun Dec 24 10:04:02 WST 2000 

Christian wrote:
> 
> On Thu, Dec 21, 2000 at 11:27:56AM +0800, Leon Brooks wrote:
> 
> > It's a case of value for effort. Canning cookies buys you very little
> > extra security for a significant cost in inconvenience. However, the
> > comment about disabling inline attachments is a good one, since in-line
> > HTML can fetch Java and other locally active objects, which in turn are
> > much more likely to pose a security problem than a gross of cookies.
> 
> I'm not necessarily sure that disabling inline attachments really has
> that much impact.  Your browser won't do anything with an attachment
> than it won't do with a web page.

Warnings have been broadcast, about browsers that wiew attachments
inline, automatically running executable files that are included as
inline attachments, and, similarly, the executable files being run, when
clicked on. Transmission of viruses, etc...

>  Hence the only difference between
> browsing a web page that you don't *really* trust and viewing inline
> attachments is that you can be targetted with the latter.  Most attacks
> don't happen because people are targetted, they happen because the
> person is simply *there*.  The exceptions tend to be where significant
> amounts of money etc. are present.  Somehow I think that even Bret's
> Amway connection doesn't QUITE count here.

I took your advice, and, enabled cookies to visit the Amway site (and,
only that site). Only problem is that, when I have visited the site,
since I made that decision, their server has been down on each occasion.
Hmmm...

> 
> If you disable viewing inline attachments then you end up clicking on
> the attachment to view it anyway. 

Sorry; wrong, Christian. If I get an inline attachment, I only click on
it, if it is in an email from one of a select few people.

> Seems like a small degree of
> protection to me.

Every small measure helps, does it not? A stone wall is made up of many
small stones, and, a fort is built out of many small rocks...

>  If an attachment can hurt you then it can do this
> regardless of whether you download it from a web page or come across it
> in an email.  I'm not all that familiar with the exact behaviour of GUI
> mail clients which have this option so if I've missed something here
> then please feel free to point it out.

I believe, from memory, that warnings have been posted, by CERT, or
someone, about inline attachments, which are disguised, and which
contain mailicious code.

> 
> As for cookies, I never said they were a security problem.  They can
> certainly be a privacy problem and can be implemented insecurely but
> they're not a security problem in and of themselves.

If a cookie can identify a visitor to a website, and, result in the
visitor being sent unsolicited email from various sources, one of which
emails happens to contain malicious code, is that not a security
violation?

-- 

Bret Busby


......................................
"So once you do know what the question actually is, you'll know what the
answer means."
 - Deep Thought, Chapter 28 of The Hitchhiker's Guide to the Galaxy
 - Douglas Adams, 1988 
......................................

More information about the plug mailing list