Re: [fw-wiz] HTML Emails and Firewall Security
From: Paul Robertson (proberts_at_patriot.net)
Date: 07/31/03
- Previous message: Jim McAtee: "Re: [fw-wiz] OT: Av and Gartner..."
- In reply to: Ron Suarez: "[fw-wiz] HTML Emails and Firewall Security"
- Next in thread: Bill Royds: "Re: [fw-wiz] HTML Emails and Firewall Security"
- Reply: Bill Royds: "Re: [fw-wiz] HTML Emails and Firewall Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Ron Suarez <rsuarez@videotron.ca> Date: Wed, 30 Jul 2003 20:54:33 -0400 (EDT)
On Wed, 30 Jul 2003, Ron Suarez wrote:
> Hi all,
>
> I've been reading that HTML email can compromise network security. Because
Well, to be more accurate, bugs in applications that handle HTML can be
used to compromise network security.
> if this, some companies filter out html email. Even Microsoft has decided to
> disable the HTML function in the default installation of upcoming versions
> of Microsoft Outlook.
That's interesting, I hadn't heard that, but I applaud it wholeheartedly.
>
> I'm curious how many of you also see this as a threat to your network and
> also filter out html emails?
I've seen a few products that do that, I've had things in place ready to
do that if there was an immediate threat, but haven't seen it necessary to
do so.
> I am also seeing more and more B2B marketing departments send html email
> (eNewsletters) as part of their strategy. I'm thinking that their emails
> aren't being received properly by their clients or received at all.
Better than 90% of the spam I get is HTML, I've considered bouncing it
automatically from the list too.
> What are your thoughts?
HTML is fine for Web pages, but the parsing of it, along with the active
content payload makes it dangerous. I wouldn't actively block it, but I'd
consider actively breaking it (I've run the old FWTK proxy with the
Hitachi patches for active stuff for Web browsing) - I don't think there's
much that you lose by removing all the tags or changing them to comments.
It's not allowd on the list because of the concerns about active content
embedded within it more than anything (and it's annoying if you don't use
an HTML-enabled mail client.)
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Jim McAtee: "Re: [fw-wiz] OT: Av and Gartner..."
- In reply to: Ron Suarez: "[fw-wiz] HTML Emails and Firewall Security"
- Next in thread: Bill Royds: "Re: [fw-wiz] HTML Emails and Firewall Security"
- Reply: Bill Royds: "Re: [fw-wiz] HTML Emails and Firewall Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
