[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs

From: Anthony J. Bentley
Subject: Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs
Date: Sun, 27 May 2018 00:07:28 -0600

Ken Hornstein writes:
> Respectfully ... the vulnerability with EFAIL was NOT that people downloaded
> stuff via HTTP.

I suppose I shouldn't say that *was* the vulnerability; but if mail
clients didn't fetch URLs embedded in the mail by default, EFAIL would
not have been possible.

> To the larger point ... I do not think there is any fundamental
> difference between being emailed a text/plain part and fetching it via
> HTTP; they both are coming across the wild Internet, and I think this
> applies to any content.  The only possible disadvantage I can think of

Here are a few more:

- It leaks the IP address of my mail client simply by reading an email.
  (Sending email leaks the IP of my SMTP client, which I'm not keen
   on either, but I already expect *sending* email to be leaky.)
- Curl's user agent contains a version number (could allow OS
  identification, or targeting of vulnerable curl versions).
- Fetching http content is subject to man-in-the-middle attacks.
- It can be used to poke intranets (http://192.168.x.y/admin.php?...)

I don't think a niche feature with these disadvantages is a desirable
default. Other mail clients like GMail block images for similar reasons.

Anthony J. Bentley

reply via email to

[Prev in Thread] Current Thread [Next in Thread]