[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs
|
From: |
Anthony J. Bentley |
|
Subject: |
Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs |
|
Date: |
Sun, 27 May 2018 00:07:28 -0600 |
Ken Hornstein writes:
> Respectfully ... the vulnerability with EFAIL was NOT that people downloaded
> stuff via HTTP.
I suppose I shouldn't say that *was* the vulnerability; but if mail
clients didn't fetch URLs embedded in the mail by default, EFAIL would
not have been possible.
> To the larger point ... I do not think there is any fundamental
> difference between being emailed a text/plain part and fetching it via
> HTTP; they both are coming across the wild Internet, and I think this
> applies to any content. The only possible disadvantage I can think of
Here are a few more:
- It leaks the IP address of my mail client simply by reading an email.
(Sending email leaks the IP of my SMTP client, which I'm not keen
on either, but I already expect *sending* email to be leaky.)
- Curl's user agent contains a version number (could allow OS
identification, or targeting of vulnerable curl versions).
- Fetching http content is subject to man-in-the-middle attacks.
- It can be used to poke intranets (http://192.168.x.y/admin.php?...)
I don't think a niche feature with these disadvantages is a desirable
default. Other mail clients like GMail block images for similar reasons.
--
Anthony J. Bentley
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, (continued)
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Anthony J. Bentley, 2018/05/26
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Ralph Corderoy, 2018/05/26
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, David Levine, 2018/05/26
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Ralph Corderoy, 2018/05/27
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, David Levine, 2018/05/27
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Ralph Corderoy, 2018/05/27
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, David Levine, 2018/05/27
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Ken Hornstein, 2018/05/27
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Bob Carragher, 2018/05/27
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Ken Hornstein, 2018/05/26
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs,
Anthony J. Bentley <=
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Ralph Corderoy, 2018/05/27
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Ralph Corderoy, 2018/05/27
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Michael Richardson, 2018/05/27
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Ken Hornstein, 2018/05/25
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Jon Fairbairn, 2018/05/26
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Ralph Corderoy, 2018/05/26
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, David Levine, 2018/05/26
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Bob Carragher, 2018/05/26