[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HTML mail

On 2019-07-11 15:25, Andrei POPESCU wrote:

On Jo, 11 iul 19, 12:31:07, John Crawley wrote:

...user agents that could deal with html in some sane way, and without
exposing the recipient to attacks. Simply not following any web links would
be enough I'd have thought? Or are there some more subtle attack paths?


Yes, look up the EFAIL vulnerability (I posted a link in another
message). It enabled a potential attacker to trick e-mail clients
parsing html e-mail to decrypt an (old) encrypted message.

In most cases users only had to open the message.
Since enforcing no-html, and particularly no-malevolent-html on all incoming mail is not an option available to us, the only remaining choices for a "good" MUA would then be: 
A) Display html as-is, tags and all
B) Strip out the tags and display what's left, like html2text

I think B) is the better option.

--
John
Reply to: