Home page logo
/

Politech mailing list archives

FC: A sysadmin's view on HTML-Javascript email problems
From: Declan McCullagh <declan () well com>
Date: Tue, 06 Feb 2001 00:49:40 -0500


*********
The most concise argument yet for ditching your Windows mail client:
  s/<script language="Java/w+.*?">.*?<\/script>//gis

-Declan
PS: If you don't get the not-quite-a-joke above, RTFM at:
http://www.perl.com/pub/doc/manual/html/pod/perlfaq6.html

*********

Date: Mon, 05 Feb 2001 14:35:58 -0500
To: declan () well com
From: Larry Poos <poosld () ec rr com>
Subject: Re: If you forward HTML email, it could be eavesdropped
In-Reply-To: <5.0.2.1.0.20010205105538.00a686a0 () mail well com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-UIDL: f1f37b01f8629a2095bae20ab30aa34a

At 10:55 2/5/01 -0500, You Scribbled:
----[ BEGIN QUOTE ]----
:"Email wiretapping" seems a little overblown, but this is bad news.
:
:The new netiquette:
:1. Friends don't send friends HTML email
:2. Friends don't accept HTML email from friends
:3. Friends don't let friends use Outlook or Navigator to read email
:4. If you or a friend must break the above three rules, then
disable Javascript
:5. If you or a friend must break the above four rules, remove
Javascript
:code from the HTML emil you forward (ask a geek for help)
:
----[ END QUOTE ]----

Rules 1-3 should IMO become law and company policy.Numbers 4 and 5
are pipedreams for these reasons;
A. Most users (in my experiance) don't know how to disable
Javascript.
B. Most users (again in my experiance) won't remove the forwarding
address from a two line message, resulting in 50 sets of >'s and
pages of forwaring information. Why would they remove <SCRIPT> code?
C. Most users have no knowlege of HTML document layout or the
mechanics and syntax of HTML (Thank you "Frontpage" another fine
Microsoft product") so even if they wanted to remove it they
couldn't.

As to "Ask a geek for help", I got better things to do with my time.
Such as make sure the mail server stays up and also blocks the
incomming spam you all hate so much but keep forwarding, closing up
security holes and cleaning up the trojans and viri that users put
on the system by opening every attachment they get no matter who
sent it. You want to edit your email, then get your point and click
8 to 5 only body in here and take the computer training classes HR
has setup. Opps sorry I forgot, we have to make it mandantory just
to get you come to the classes, held during work hours, on the
applications you must use in your job, why would you come to an
evening or Sat. class?

Until the decision makers wake-up and demand that email aplications
reject HTML style text this "wiretap",trojan carrying, security-hole
style of email will continue to be exploited. HTML style email not
only has opened security holes but has increased the bandwidth load
by 500% because of the increased size due to the formating codes
added to the message.

As we have moved farther down the information highway I've come to
believe that the makers and shakers have forgotten the "KISS"
principle when it comes to email and browsers. Paraphrasing Thomas
H. Lipscomb in an earlier post on the "Digital Divide"; If by HTML
you must go, the underlying code you must know.


Larry D. Poos
[System Consultant]
LTAD Enterprises

E-MAIL:
(Primary)   ldpoosld () ec rr com

************

Date: Mon, 05 Feb 2001 10:43:50 -0800
From: Lorraine King <lking () telus net>
To: declan () well com
Subject: Re: FC: If you forward HTML email, it could be eavesdropped
References: <5.0.2.1.0.20010205105538.00a686a0 () mail well com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-UIDL: 93ce9ce8ffe6bc096a44c9213e751ecc

Declan,

Not sure how wide your reach is - maybe only geeks to whom this will be
obvious - but with NS messenger it may not be obvious to everyone that you
need to turn js *off* for messenger, but can leave it on for the NS
browser. I only use 4.6 - not dealt with by the referenced page so perhaps
I am not affected (but not taking any chances, either) - and in its
preferences, the js-for-mail option is nested under the general js option.

Declan McCullagh wrote:
>
> "Email wiretapping" seems a little overblown, but this is bad news.
>
> The new netiquette:
> 1. Friends don't send friends HTML email
> 2. Friends don't accept HTML email from friends
> 3. Friends don't let friends use Outlook or Navigator to read email
> 4. If you or a friend must break the above three rules, then disable Javascript
> 5. If you or a friend must break the above four rules, remove Javascript
> code from the HTML emil you forward (ask a geek for help)
<snip>


--
Lorraine P. King                            Telephone: (604) 936-6150
ICQ#11591526                                Cellular:  (604) 723-6051
Depth in content, depth in thinking, looking at a great many
sources to get information is a dying art.     -Bonnie Bracey

************

From: mikus () bga com (Mikus Grinbergs)
To: Declan McCullagh <declan () well com>
Subject: Re: FC: If you forward HTML email, it could be eavesdropped
Date: Mon, 05 Feb 2001 12:43:07 -0600

In list.poli, you wrote on Mon, 05 Feb 2001 10:55:49 -0500:
> "Email wiretapping" seems a little overblown, but this is bad news.
>
> The new netiquette:
> 1. Friends don't send friends HTML email
> 2. Friends don't accept HTML email from friends
> 3. Friends don't let friends use Outlook or Navigator to read email
> 4. If you or a friend must break the above three rules, then disable Javascript
> 5. If you or a friend must break the above four rules, remove Javascript
> code from the HTML emil you forward (ask a geek for help)
>
> -Declan

Let me remind you of an incident which you (or somebody)
publicised.  (For which not even Javascript was needed!)

An individual using an anonymizer was posting messages (to
various newsgroups) which criticized corporation XYZ.  This
criticism drew enough attention for XYZ to assign "sleuths"
to the matter.  The sleuths concluded the critic was an XYZ
employee.  To track him down, the sleuths created an innocuous
image on their own webserver, but activated a "sniffer" which
would record the IP-address of anyone FETCHING that image.
They then replied to one of the critic's messages using an HTML
email message having a subject line they hoped would arouse his
interest.  The body of their message included a perfectly
ordinary HTML tag referencing the image's URL.  The sleuths
were in luck - the critic decided during lunch hour to connect
to his ISP and check his private email.  When the critic opened
that particular message in HTML mode, the message body FETCHED
(and displayed) the referenced image.  The sleuths now had the
IP-address (of the terminal within XYZ that the critic used),
and were able to identify him.

mikus

************




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if it remains intact.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • FC: A sysadmin's view on HTML-Javascript email problems Declan McCullagh (Feb 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault