Re: [fw-wiz] HTML Emails and Firewall Security
From: Bill Royds (broyds_at_rogers.com)
Date: 07/31/03
- Previous message: Kang Choo Kai: "[fw-wiz] Public conferences"
- In reply to: Paul Robertson: "Re: [fw-wiz] HTML Emails and Firewall Security"
- Next in thread: Gary Flynn: "Re: [fw-wiz] HTML Emails and Firewall Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Paul Robertson" <proberts@patriot.net>, "Ron Suarez" <rsuarez@videotron.ca> Date: Wed, 30 Jul 2003 21:41:50 -0400
The new Microsoft Outlook client has several levels of HTML filtering from
text only to "html only with no images or script or other links" to html
with no script but with embedded images to full blown HTML. The second level
(HTML formatting for text but no other HTML) is probably the best for most
users. It allows some structure in a message (heading, italic, bold,
tabular data) to help convey information in a more readable fashion than
plain text, but limits the effects of scripts or web bugs.
----- Original Message -----
From: "Paul Robertson" <proberts@patriot.net>
To: "Ron Suarez" <rsuarez@videotron.ca>
Cc: <firewall-wizards@honor.icsalabs.com>
Sent: Wednesday, July 30, 2003 8:54 PM
Subject: Re: [fw-wiz] HTML Emails and Firewall Security
On Wed, 30 Jul 2003, Ron Suarez wrote:
> Hi all,
>
> I've been reading that HTML email can compromise network security. Because
Well, to be more accurate, bugs in applications that handle HTML can be
used to compromise network security.
> if this, some companies filter out html email. Even Microsoft has decided
to
> disable the HTML function in the default installation of upcoming versions
> of Microsoft Outlook.
That's interesting, I hadn't heard that, but I applaud it wholeheartedly.
>
> I'm curious how many of you also see this as a threat to your network and
> also filter out html emails?
I've seen a few products that do that, I've had things in place ready to
do that if there was an immediate threat, but haven't seen it necessary to
do so.
> I am also seeing more and more B2B marketing departments send html email
> (eNewsletters) as part of their strategy. I'm thinking that their emails
> aren't being received properly by their clients or received at all.
Better than 90% of the spam I get is HTML, I've considered bouncing it
automatically from the list too.
> What are your thoughts?
HTML is fine for Web pages, but the parsing of it, along with the active
content payload makes it dangerous. I wouldn't actively block it, but I'd
consider actively breaking it (I've run the old FWTK proxy with the
Hitachi patches for active stuff for Web browsing) - I don't think there's
much that you lose by removing all the tags or changing them to comments.
It's not allowd on the list because of the concerns about active content
embedded within it more than anything (and it's annoying if you don't use
an HTML-enabled mail client.)
Paul
----------------------------------------------------------------------------
-
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Kang Choo Kai: "[fw-wiz] Public conferences"
- In reply to: Paul Robertson: "Re: [fw-wiz] HTML Emails and Firewall Security"
- Next in thread: Gary Flynn: "Re: [fw-wiz] HTML Emails and Firewall Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
