On Sonntag, 16. Juni 2013 03:19:05 CEST, David Lang wrote:
arguably you can run into this with the embedded images as well.
No. If an image is actually attached (regardless of the Disposition) it resides at your MSP. If you mean that you can receive and display base64 encoded CP - yes, that's possible and eventually already considered crime (regardless of the lack of intention), but if you press delete you and your MSP know about that incident and what your MSP did (distribute) is likely even harder punished. So based on what "crime" you just commited by logging into your system, you can check the sanity of the local law and either report or stash this incident. Trusting attachments requires to trust your MSP and you already bought into that.
Almost all of those clients render all the HTML, including remote images, by default.
Errr... just tried thunderbird - it actually does *exactly* what i suggested (no, i did not know how it acts, otherwise i would have brought that point in) and asks me whether i want to download that content (and offers to always do so for messages from that sender, what's a questionable strategy, though). There seems to be no option to enable that globally. Can you point any MUA that by default renders external content (ideally not containing the word "outlook" - MS used to enable ActiveX in mails...)?
I just don't buy that it can be such a large liability if we don't see people who are using Outlook (who don't even have the option to turn it off) aren't getting in trouble continuously.
What do you call trouble? ~98.x% spam ratio in all mail traffic? This is not gonna be used to cause a direct attack on that user to own the box - the primary goal will be to validate the mail address and sell it to send you more spam.
and if there isn't an option to fix their response from booking.com, they'll think "stupid developers, they can't make something that works for me" and switch to some other application.
If that "option" includes to allow them to do this for this mail (alongside a warning, thunderbird says "to protect your privacy, thunderbird has blocked remote content in this message" on a yellow ground) ie. enacts them to understand the actual problem and take an informed decision, i do not object that solution. I just do object a solution, that offers them to shoot themselves (and is actually harder to find in the settings) Detect a foreign problem and offer a workaround, briefly explaining problem and risk, is kind and cooperative. Having a checkbox, detached from the actual problem in time and space, that allows the user to harm themself w/o probably understanding what they do, seems just evil. Cheers, Thomas
