Home | Campaign | Tools | Software | Security | Photos | DorkCam | CV | Links | Contact

Avoiding Complexity

One of the reasons that minimising complexity is a good idea is that complex software tends to raise security issues for no good reason. Reading email encoded as HTML may have unforseen side effects which can be exploited by hackers. The classic use of HTML read side effects is to log who has read a spam message by embedding a remote image in a mail message and including a key associated with the recipient's email address in the image request. That's just a privacy issue but a hacker could embed some Javascript in an HTML email which does things, nasty things...

I'm not that bothered when I receive HTML mail (here's how I get procmail to deal with it for me) but it just strkes me as silly that if you don't disable HTML mail in your email client then when you send a message like this:


From: Fred <fred_bloggs@nowhere.com>
To: Colin <colin_wills@bigfoot.com>
Subject: Tonight
Date: Mon, 29 Oct 2001 16:54:19 +0100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)

Colin,
What time will you be in the pub tonight?

Fred.
you will actually send it looking something like this:

From: Fred <fred_bloggs@nowhere.com>
To: Colin <colin_wills@bigfoot.com>
Subject: Tonight
Date: Mon, 29 Oct 2001 16:54:19 +0100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: multipart/mixed;    
	boundary="------------InterScan_NT_MIME_Boundary"
Status: RO

This message is in MIME format. If your mail reader does not understand
this format, some or all of this message may not be legible.

--------------InterScan_NT_MIME_Boundary
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C16091.F889F640"

------_=_NextPart_001_01C16091.F889F640
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


Colin,
What time will you be in the pub tonight?

Fred.

------_=_NextPart_001_01C16091.F889F640
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=utf-8">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>Tonight</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>Colin,</FONT>
</P>

<P><FONT SIZE=3D2>What time will you be in the pub tonight?
</FONT>
</P>

<P><FONT SIZE=3D2>Fred.</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C16091.F889F640--

--------------InterScan_NT_MIME_Boundary--

Yuk! There are worse things you could do though, like send a Word attachment to a Linux user. Why do people assume that everyone has either paid for Office or ripped it off? Of course there are word processors for Linux that can read Word documents (until Microsoft releases a new version of Word with a new encryption algorithm) but, like HTML mail, it's an inefficient way of exchanging information. It's silly for Office users too: Better to use HTML, PDF or ASCII text. If you have to send a Word document use Save As...something small, virus free, and readable by everyone.


Generated by vi on Saturday 5th January 2002 at 13:01. This site is best viewed using [Lynx].