2010/8/9 Aurélien Gâteau <email@example.com>:
> On 06/08/2010 12:28, Jonathan Riddell wrote:
>> At Akademy I queried the current and past KMail maintainers about HTML
>> by default in e-mails. *They seemed to agree that it was a bit old
>> fashioned to be keeping it off and agreed it would be fine to turn it
>> on by default (in Kubuntu and upstream). *It seems unfriendly to me to
>> show a message with most e-mails that the programme is hiding
>> something from the user.
>> KMail has large warnings in it's config box about security problems
>> that might magically appear. *I can imagine it would help with
> Turning HTML on for *displaying* email is something I have done every
> time I introduced someone to KMail. If this option is not on then KMail
> is perceived as less powerful than their previous email client.
> Therefore I too believe HTML should be by default for *displaying*
> emails, as long as loading of external references is disabled. With this
> configuration KMail shouldn't end up being more vulnerable than
> Evolution, Thunderbird or any web mail.
> What does showing email in plain text protects you from?
> It does not protect you from the rogue links of a phish email (ie
> something like <a href="http://evil.com">google.com</a>): you can't
> expect someone trying to abuse you with rogue links to provide a
> plain-text version with readable nasty links.
> It does not protect you against spam messages phoning home to confirm
> your email address is valid. You are protected from this as long as the
> "Allow messages lo load external references from the Internet" option is
> and plugins options .
> It does protect you against rogue HTML which could exploit a security
> hole in your HTML renderer to execute rogue code on your machine. *But*
> it only protects you if you are able to detect the email is rogue from
> the information provided without reading the message content (ie, sender
> and subject).
> This kind of attack requires much more technical skills than phishing
> (which only requires social skills) and is much less likely to work in a
> cross-email client way, so I assume it's not very widespread, if
> existing at all, as one would need to write a KMail-specific spam
> message for it to work (but IANASE, I Am Not A Security Expert
I agree 100% with Aurélien here, and his arguments are what I would
have said, if I was a little more eloquent
> , look for initHtmlWidget, line 1279 at the time of this writing.
> kubuntu-devel mailing list
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-devel
kubuntu-devel mailing list
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-devel