Arnold G. Reinhold
Tue, 06 Feb 2001 12:53:06 -0800
At 8:58 AM -0500 2/5/2001, Steve Bellovin wrote: >Every now and then, something pops up that reinforces the point that >crypto can't solve all of our security and privacy problems. Today's >installment can be found at >http://www.privacyfoundation.org/advisories/advemailwiretap.html > >For almost all of us, the end systems are the weak points, not the >transmission! > > While I certainly agree with your general point, I don't think this case is good exemplar. "The exploit requires the person reading a wiretapped email message to be using an HTML-enabled email reader that also has JavaScript turned on by default." The notion that e-mail should be permitted to contain arbitrary programs that are executed automatically by default on being opened is so over the top from a security stand point that it is hard to find language strong enough to condemn it. It goes far beyond the ordinary risks of end systems. The closest analogy I can thinking of is the early days of the 20th century when some doctors began prescribing radium suppositories for a variety of ills. Arnold Reinhold