Re: Important note about NoHTML and Outlook 2002
From: Toby Beaumont (Toby@CREATORCOMMUNICATIONS.COM)Date: 12/18/01
- Previous message: Nick FitzGerald: "Re: Important note about NoHTML and Outlook 2002"
- Maybe in reply to: Russ: "Important note about NoHTML and Outlook 2002"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 18 Dec 2001 09:17:24 -0000 From: Toby Beaumont <Toby@CREATORCOMMUNICATIONS.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Nick Wrote:
And, because it's from Microsoft, they only did it half-a$$ed --
digitally signed and encrypted messages will *not* be affected by the MS
"ReadAs Plain". Reading the KB article carefully suggests some
interesting things about Outlook's internal message handling and
strongly suggests that this MS "fix" to a problem entirely of MS' making
is applied at the wrong point in the message handling code.
===
2 things:
1. Why is this "entirely of MS' making"? - I'm not defending them, but
there's isn't the only email application that supports HTML.
2. I disagree with this being "half-assed" - (RE: My previous email
Russ). Messages that are digitally signed and encrypted are treated by
Outlook in a similar way as a signed ActiveX control would be on a web
page. Since IE does not convert all web pages (signed or unsigned) to
plain text, is this half-assed too?
(NB: One of the attributes of a signed or encrypted email is that it's
certificate is _only valid_ if the contents of the email have not been
altered since it was first signed. Converting to plain text would
therefore invalidate the certificate.)
For this and probably many other reasons, I do not think Microsoft, in
the foreseeable future, are going to take the security issue of HTML in
email to a level where subscribers of this list will ever consider it
anything but "half-assed".
So in the meantime, rather than wait to see if Microsoft change their
attitudes on this (which even if they do, is likely to be later rather
than sooner), implement your own security measures. A Linux system
running "sendmail" can, with the use of Perl (or similar language), scan
all incoming messages looking for the "content-type: text/html" and
strip out everything between the multipart MIME boundaries. Sendmail
then forwards all mail to your normal mail gateway. You may be left with
nothing but at least you can feel safe.
======================================
Delivery co-sponsored by VeriSign - The Internet Trust Company
======================================
Protect your servers with 128-bit SSL encryption!
Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will
learn everything you need to know about using SSL to encrypt your e-commerce
transactions for serious online security. Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n016065650057000
======================================
- Previous message: Nick FitzGerald: "Re: Important note about NoHTML and Outlook 2002"
- Maybe in reply to: Russ: "Important note about NoHTML and Outlook 2002"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
