I wanted to reply to this, and make a clarification - At 08:57 PM 2/14/00 -0500, Rishi Lee Khan wrote: >There is an easy way to open a web page using and email client using HTML >parsing ... simply put in the <head> tag <meta http-equiv="REFRESH" >content="0;URL=http://www.yourpagehere.com"> Tried it, and it doesn't seem to work. Created an HTML mail with this embedded, opened it in Outlook, and no refresh. Did a Save As to dump it out to file, opened it with IE, got the refresh. I'm not saying it can't be made to work, but I can't do it, and it seems like a decent test, since I am getting it to refresh in IE. >Marc Slemko wrote: >> So while disabling all the "features" that you can when reading HTML mail >> is definitely recommended and protects you against a lot of attacks, it is >> not a complete solution. I seriously doubt that all the ways of >> exploiting this issue without using scripting languages have been >> discovered. Now for the clarification: I am NOT trying to solve the general problem of all the bad things that either can happen, or are theoretically possible once you plug in the network cable. I am trying to solve the specific problem of cross-site scripting attacks being delivered by e-mail. What I recommend specifically for using Outlook (probably also applies to other mail readers using IE as a HTML viewer) is: 1) Set it to run in the Restricted Sites zone 2) Edit the Restricted Sites zone into what I call maximum paranoia mode - turn EVERYTHING off. IIRC, cookies are off to begin with, but this gets them turned off for sure. Am I now saying that if you do this, you're safe? Absolutely not. You're never safe. A meteorite could come through the roof, or you could get hit with an evil bug that isn't publicly known yet. Anything can happen. No one expects the Spanish Inquisition! I _am_ saying that there are a whole bunch of things that I _know_ can get you that now won't get you. Am I saying that HTML mail is a great idea, and that applying these settings makes it all safe and cozy? To quote Marc, "NO, NO, NO!!!" IMHO, it isn't a great idea, but lots of people use it, and I can't turn it off in the mail reader I use at work, so I think these settings make it a much more reasonable risk. Speaking of which, there are still 3 things that I know of to worry about: 1) Embedded URLs in HTML mail - these will invoke the browser IF you click on them, and the effect will depend on a lot of other issues. You're also now most likely running in the Internet zone, so different settings apply. Personally, I take a look at them before clicking on them, or just type them in. 2) HTML attachments - these aren't governed by the mail reader, but by the browser. Make the browser settings you think are appropriate. 3) Things I don't know about. No telling what sort of nastiness is lurking out there. Definately worry about this one. I don't think security problems on the Internet are a passing phase - we're all in for a wild ride. David LeBlanc dleblancat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:07 PDT