Mailinglist Archive: opensuse-factory (1029 mails)

< Previous Next >
Re: [opensuse-factory] Re: Testing many small file write on several filesystems
Hello,

Am Dienstag, 5. November 2013 schrieb Linda Walsh:
You message had "*rendering*" in bold text -- did you write in HTML?

No -- I assert that HTML is markup on text -- it isn't scripting --

HTML is more than markup - and it can contain scripting.

The problem isn't the markup part (bold/italic/underline etc.), but all
the other things (like javascript and tracking pixels) that can be
embedded in HTML.

I'm fine with rendering text in mails *bold* or _underlined_, but I
don't want colored text, javascript or tracking pixels in my mails.

Note, that fact that your reader is displaying binary data as "text"
is already an interpretive layer. You can claim, that interpreting a
binary stream as text is vastly different than interpreting it as
emphasized, italicized, or paragraph-formatted or proportional text,
but it's a matter of degree. If you aren't seeing, *only* electrical
"on/off" states, you are seeing some level of interpretation

01110111 01110010 01101111 01101110 01100111

*SCNR*

I don't recall any instance where a site has been hacked due to a bug
in an HTML renderer.

I strongly disagree - XSS is basically a bug in the renderer (because it
doesn't remove or escape <script> or <div onmouseover=...> tags), and
you can read about XSS attacks quite often.

Technically HTML is marginally more complex to interpret than text,
but I would still ask for a proof of concept -- I don't recall it
ever being seriously considered
a threat vector.

A simple example: a HTML mail could hide/optically replace the message
header part (showing Subject/From/To/Date) in KMail with a positioned
<div> and display whatever it wants there. With the same method, it
could probably also simulate the green "This mail has a valid GPG
signature from" box, which could then trick you to click on links
(because you trust the (displayed) sender/signature), and the link
targets could do phishing etc.

That's one of the reasons why I don't like HTML mails - there's an
additional risk level without any benefit.

The other reason is more practical - I want mails displayed in the font
_I_ like - not in a random font and (mis)design that the sender might
like, but is harder to read.


Regards,

Christian Boltz
--
Wow consensus in less than 24 hours....imagine if it always
worked that way....:-)
Something smells fishy here ;-)
Do you have the solution(tm) for the "Kanzlerfrage"? :)
[>> Peter Flodin, > Andreas J├Ąger und Christoph Thiel in opensuse]

--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >