- From: Marc VanHeyningen <mvanheyn@cs.indiana.edu>
- Date: Wed, 04 Jan 1995 07:57:12 -0500
- To: raisch@internet.com
- Cc: uri@bunyip.com
> Since URLs are hardly something which the casual user might have > > - an overriding interest in > > - an appreciation of the consequences of > > - comprehensive knowledge of > > I would politely suggest that this is a bad idea. For a more in depth > explanation of the inadvisability of this URL scheme please see: > > <mailmsg:president@whitehouse.gov//Death Threat/I'm gonna git you sucka> This is, of course, a serious concern. As Larry pointed out, similar concerns also exist for the gopher: URL, since it can be used to spoof mail messages in less obvious ways. You'll have to forgive me for noting the incredible irony of this, considering your past messages to the effect that my noting this security hole was just "bull". Always good to see someone see the light. :-) The solution to the gopher problem has generally been to restrict the functionality so that the SMTP trick won't work (though some WWW browsers, including a very popular one whose name starts with "N", are vulnerable to this hole.) I think it's quite reasonable for software to understand enough about mail to prompt the user with the content of the message; most users can be expected to be sophisticated enough to look at a message and figure out if it's obviously dangerous or illegal. I think there should be a way to specify a mail message in a URL, and that that's a functionality which MIME message/external-body has had over URLs for a while. What's important is to avoid the situation where users are asked something they can't be reasonably expected to understand, like "Is it OK if I open a connection to port 25 of 198.137.240.100?" - Marc
Received on Wednesday, 4 January 1995 07:57:24 UTC