FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Kubuntu Development

 
 
LinkBack Thread Tools
 
Old 08-06-2010, 10:28 AM
Jonathan Riddell
 
Default HTML by default in KMail

At Akademy I queried the current and past KMail maintainers about HTML
by default in e-mails. They seemed to agree that it was a bit old
fashioned to be keeping it off and agreed it would be fine to turn it
on by default (in Kubuntu and upstream). It seems unfriendly to me to
show a message with most e-mails that the programme is hiding
something from the user.

KMail has large warnings in it's config box about security problems
that might magically appear. I can imagine it would help with
phishing. I could also imagine javascript security problems, although
I'd hope javascript isn't allowed in Kmail e-mails I could be wrong.

As someone who uses a terminal programme for my e-mail I doubt my
opinion weights for much but I'd like to hear thoughts people have on
the setting.

Jonathan

--
kubuntu-devel mailing list
kubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-devel
 
Old 08-06-2010, 10:42 AM
Myriam Schweingruber
 
Default HTML by default in KMail

On Fri, Aug 6, 2010 at 12:28, Jonathan Riddell <jriddell@ubuntu.com> wrote:
>
> At Akademy I queried the current and past KMail maintainers about HTML
> by default in e-mails. *They seemed to agree that it was a bit old
> fashioned to be keeping it off and agreed it would be fine to turn it
> on by default (in Kubuntu and upstream). *It seems unfriendly to me to
> show a message with most e-mails that the programme is hiding
> something from the user.
>
> KMail has large warnings in it's config box about security problems
> that might magically appear. *I can imagine it would help with
> phishing. *I could also imagine javascript security problems, although
> I'd hope javascript isn't allowed in Kmail e-mails I could be wrong.
>
> As someone who uses a terminal programme for my e-mail I doubt my
> opinion weights for much but I'd like to hear thoughts people have on
> the setting.

I am strongly against turning it on. I don't see a valid reason to
turn it on btw, as the user always gets an option to allow displaying
of pictures/graphics for a particular sender. Also since half of the
mail I get during the day is spam and they tend to often send HTML, I
am very glad it is turned off by default.

A Linux system is by default secure, enabling HTML is certainly not.

Let the users who want to have it turn it on by themselves, but don't
do so by default. I would really hate it to see kmail users of the
future send html by default to mailing lists...


Regards, Myriam.
--
Protect your freedom and join the Fellowship of FSFE:
http://www.fsfe.org
Please don't send me proprietary file formats,
use ISO standard ODF instead (ISO/IEC 26300)

--
kubuntu-devel mailing list
kubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-devel
 
Old 08-06-2010, 11:02 AM
Tomasz Czapiewski
 
Default HTML by default in KMail

On Fri, 6 Aug 2010, Myriam Schweingruber wrote:


On Fri, Aug 6, 2010 at 12:28, Jonathan Riddell <jriddell@ubuntu.com> wrote:


At Akademy I queried the current and past KMail maintainers about HTML
by default in e-mails. *They seemed to agree that it was a bit old
fashioned to be keeping it off and agreed it would be fine to turn it
on by default (in Kubuntu and upstream). *It seems unfriendly to me to
show a message with most e-mails that the programme is hiding
something from the user.

KMail has large warnings in it's config box about security problems
that might magically appear. *I can imagine it would help with
phishing. *I could also imagine javascript security problems, although
I'd hope javascript isn't allowed in Kmail e-mails I could be wrong.

As someone who uses a terminal programme for my e-mail I doubt my
opinion weights for much but I'd like to hear thoughts people have on
the setting.


I am strongly against turning it on. I don't see a valid reason to
turn it on btw, as the user always gets an option to allow displaying
of pictures/graphics for a particular sender. Also since half of the
mail I get during the day is spam and they tend to often send HTML, I
am very glad it is turned off by default.

A Linux system is by default secure, enabling HTML is certainly not.

Let the users who want to have it turn it on by themselves, but don't
do so by default. I would really hate it to see kmail users of the
future send html by default to mailing lists...


Regards, Myriam.


I agree with Myriam, HTML view in KMail should not be enabled by default.
Just take a look at most spam/viruses in mail. I'm not sure if KMail is
vulnerable for them or not, but I want to take a look at text message,
sender, subject, etc. first than I enable HTML view of a message.
The current option to enable HTML view of e-mail in KMail is very
convenient.


Btw. will the new development version of KMail support HTML messages with
in-mail graphics? It's my most needed feature which almost all graphic
e-mail clients support but KMail doesn't.


Regards,
Tom.--
kubuntu-devel mailing list
kubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-devel
 
Old 08-06-2010, 01:36 PM
Mackenzie Morgan
 
Default HTML by default in KMail

On Friday, August 06, 2010 06:28:30 am Jonathan Riddell wrote:
> KMail has large warnings in it's config box about security problems
> that might magically appear. I can imagine it would help with
> phishing. I could also imagine javascript security problems, although
> I'd hope javascript isn't allowed in Kmail e-mails I could be wrong.

I know of two security problems with HTML email. Well, one security and one
spam. The security one is, as you said, phishing. The spam one is that on
some emails there will be transparent gif's that don't show (duh) when you
open an email but do load from a server with a unique ID so that the sender
knows whether you're a sucker who opens spam, because then they an spam you
more.

Even so, I agree that HTML email is what the majority of people (who aren't
being curmudgeonly like us) expect these days.

--
Mackenzie Morgan
http://ubuntulinuxtipstricks.blogspot.com
apt-get moo

--
kubuntu-devel mailing list
kubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-devel
 
Old 08-06-2010, 01:47 PM
Scott Kitterman
 
Default HTML by default in KMail

On Friday, August 06, 2010 06:42:54 am Myriam Schweingruber wrote:
> On Fri, Aug 6, 2010 at 12:28, Jonathan Riddell <jriddell@ubuntu.com> wrote:
> > At Akademy I queried the current and past KMail maintainers about HTML
> > by default in e-mails. They seemed to agree that it was a bit old
> > fashioned to be keeping it off and agreed it would be fine to turn it
> > on by default (in Kubuntu and upstream). It seems unfriendly to me to
> > show a message with most e-mails that the programme is hiding
> > something from the user.
> >
> > KMail has large warnings in it's config box about security problems
> > that might magically appear. I can imagine it would help with
> > phishing. I could also imagine javascript security problems, although
> > I'd hope javascript isn't allowed in Kmail e-mails I could be wrong.
> >
> > As someone who uses a terminal programme for my e-mail I doubt my
> > opinion weights for much but I'd like to hear thoughts people have on
> > the setting.
>
> I am strongly against turning it on. I don't see a valid reason to
> turn it on btw, as the user always gets an option to allow displaying
> of pictures/graphics for a particular sender. Also since half of the
> mail I get during the day is spam and they tend to often send HTML, I
> am very glad it is turned off by default.
>
> A Linux system is by default secure, enabling HTML is certainly not.
>
> Let the users who want to have it turn it on by themselves, but don't
> do so by default. I would really hate it to see kmail users of the
> future send html by default to mailing lists...
>
>
> Regards, Myriam.

I agree with this. Yes, plain text by default may seem a bit old fashioned,
but HTML by default opens a large number of additional code paths to potential
exploits (and it appears to be very difficult to write secure HTML parsers).

The system should default to a safe/secure configuration that users can change
if they choose.

Scott K

--
kubuntu-devel mailing list
kubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-devel
 
Old 08-06-2010, 02:00 PM
Markus Slopianka
 
Default HTML by default in KMail

Possible solution:
Allow HTML mails only from contacts in the address book.

Loading
external data (graphics / web bugs), executing JavaScript, etc. should stay diabled by
default.

--
kubuntu-devel mailing list
kubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-devel
 
Old 08-06-2010, 02:04 PM
Jonathan Riddell
 
Default HTML by default in KMail

On Fri, Aug 06, 2010 at 09:36:48AM -0400, Mackenzie Morgan wrote:
> On Friday, August 06, 2010 06:28:30 am Jonathan Riddell wrote:
> > KMail has large warnings in it's config box about security problems
> > that might magically appear. I can imagine it would help with
> > phishing. I could also imagine javascript security problems, although
> > I'd hope javascript isn't allowed in Kmail e-mails I could be wrong.
>
> I know of two security problems with HTML email. Well, one security and one
> spam. The security one is, as you said, phishing.

Of course if all e-mails are plain text you're just as likely to fall
for a plain text phishing e-mail.

> The spam one is that on
> some emails there will be transparent gif's that don't show (duh) when you
> open an email but do load from a server with a unique ID so that the sender
> knows whether you're a sucker who opens spam, because then they an spam you
> more.

Remote objects aren't loaded by default, that's another tickbox.

Jonathan

--
kubuntu-devel mailing list
kubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-devel
 
Old 08-06-2010, 02:06 PM
Jonathan Riddell
 
Default HTML by default in KMail

On Fri, Aug 06, 2010 at 09:47:24AM -0400, Scott Kitterman wrote:
> I agree with this. Yes, plain text by default may seem a bit old fashioned,
> but HTML by default opens a large number of additional code paths to potential
> exploits (and it appears to be very difficult to write secure HTML parsers).

Nothing that isn't already open through a web browser.

What are the potential security problems with HTML rendering? I can
imagine some HTML being able to crash the renderer. I can't imagine
it being able to do anything worse. (Javascript, java, <object>s etc
being turned off)

Jonathan

--
kubuntu-devel mailing list
kubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-devel
 
Old 08-06-2010, 02:09 PM
Scott Kitterman
 
Default HTML by default in KMail

On Friday, August 06, 2010 10:00:29 am Markus Slopianka wrote:
> Possible solution:
> Allow HTML mails only from contacts in the address book.
>
That doesn't help with a (at the point theoretical) malware threat that works
off of a KHTML flaw to compromise the user's session. Typically local address
books are used as a vector for spreading the exploit. (i.e. the fact that it
comes from an address in your address book doesn't make it 'safe'.)

I think the current "click here to see the html" approach is easy enough and a
reasonable default.

Scott K

--
kubuntu-devel mailing list
kubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-devel
 
Old 08-06-2010, 02:17 PM
Scott Kitterman
 
Default HTML by default in KMail

On Friday, August 06, 2010 10:04:43 am Jonathan Riddell wrote:
> On Fri, Aug 06, 2010 at 09:36:48AM -0400, Mackenzie Morgan wrote:
> > On Friday, August 06, 2010 06:28:30 am Jonathan Riddell wrote:
> > > KMail has large warnings in it's config box about security problems
> > > that might magically appear. I can imagine it would help with
> > > phishing. I could also imagine javascript security problems, although
> > > I'd hope javascript isn't allowed in Kmail e-mails I could be wrong.
> >
> > I know of two security problems with HTML email. Well, one security and
> > one spam. The security one is, as you said, phishing.
>
> Of course if all e-mails are plain text you're just as likely to fall
> for a plain text phishing e-mail.

No really. It's much easier to obfuscate links in HTML.

I just ping'ed Kees on IRC to see how the security team felt about this.

Scott K

--
kubuntu-devel mailing list
kubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-devel
 

Thread Tools




All times are GMT. The time now is 04:38 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org