At 8:58 AM -0500 2/5/2001, Steve Bellovin wrote:
>Every now and then, something pops up that reinforces the point that
>crypto can't solve all of our security and privacy problems. Today's
>installment can be found at
>http://www.privacyfoundation.org/advisories/advemailwiretap.html
>
>For almost all of us, the end systems are the weak points, not the
>transmission!
>
>
While I certainly agree with your general point, I don't think this
case is good exemplar.
"The exploit requires the person reading a wiretapped email
message to be using an HTML-enabled email reader that also
has JavaScript turned on by default."
The notion that e-mail should be permitted to contain arbitrary
programs that are executed automatically by default on being opened
is so over the top from a security stand point that it is hard to
find language strong enough to condemn it. It goes far beyond the
ordinary risks of end systems.
The closest analogy I can thinking of is the early days of the 20th
century when some doctors began prescribing radium suppositories for
a variety of ills.
Arnold Reinhold
