Steven M. Bellovin
Tue, 06 Feb 2001 21:36:25 -0800
In message <v0421010db6a6089ec201@[24.218.56.92]>, "Arnold G. Reinhold" writes: >> > >While I certainly agree with your general point, I don't think this >case is good exemplar. > >"The exploit requires the person reading a wiretapped email >message to be using an HTML-enabled email reader that also >has JavaScript turned on by default." > >The notion that e-mail should be permitted to contain arbitrary >programs that are executed automatically by default on being opened >is so over the top from a security stand point that it is hard to >find language strong enough to condemn it. It goes far beyond the >ordinary risks of end systems. Actually, I don't think so. One of my (many) points here is *precisely* that a lot of email *does* contain such code. It shouldn't, of cousre, and sometimes (unlike this case) the authors of the mail reader tried to prevent it. But when I look at the number of mail-vectored worms we've seen in the last couple of years, I'm quite skeptical. --Steve Bellovin, http://www.research.att.com/~smb