[8575] in cryptography@c2.net mail archive
Re: it's not the crypto
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Wed Feb 7 00:52:04 2001
From: "Steven M. Bellovin" <smb@research.att.com>
To: "Arnold G. Reinhold" <reinhold@world.std.com>
Cc: cryptography@c2.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 06 Feb 2001 19:45:31 -0500
Message-Id: <20010207004602.EBC8C35DC9@berkshire.research.att.com>
In message <v0421010db6a6089ec201@[24.218.56.92]>, "Arnold G. Reinhold" writes:
>>
>
>While I certainly agree with your general point, I don't think this
>case is good exemplar.
>
>"The exploit requires the person reading a wiretapped email
>message to be using an HTML-enabled email reader that also
>has JavaScript turned on by default."
>
>The notion that e-mail should be permitted to contain arbitrary
>programs that are executed automatically by default on being opened
>is so over the top from a security stand point that it is hard to
>find language strong enough to condemn it. It goes far beyond the
>ordinary risks of end systems.
Actually, I don't think so. One of my (many) points here is
*precisely* that a lot of email *does* contain such code. It
shouldn't, of cousre, and sometimes (unlike this case) the authors of
the mail reader tried to prevent it. But when I look at the number of
mail-vectored worms we've seen in the last couple of years, I'm quite
skeptical.
--Steve Bellovin, http://www.research.att.com/~smb
