Comments on: Apple Mail and its security. http://blog.cocoia.com/2007/03/31/apple-mail-and-its-security/ The Cocoia Blog is the website of Sebastiaan de With, a Dutch Icon and Interface designer. Mon, 13 Oct 2008 06:09:54 +0000 http://wordpress.org/?v=2.5 By: John http://blog.cocoia.com/2007/03/31/apple-mail-and-its-security/#comment-610 John Mon, 02 Apr 2007 03:28:19 +0000 http://blog.cocoia.com/?p=42#comment-610 Use "its" for possessive for fuck's sake. Use “its” for possessive for fuck’s sake.

]]> By: sebastiaan http://blog.cocoia.com/2007/03/31/apple-mail-and-its-security/#comment-562 sebastiaan Sun, 01 Apr 2007 12:07:48 +0000 http://blog.cocoia.com/?p=42#comment-562 Christopher; although the problems identified do lie in HTML and it's purpose, it's the idea of HTML in the email medium that makes it even more risky; namely, allowing HTML files to be sent anonymously and over a whole new delivery path. Mark, first of all, thanks for reading. I appreciate your work a lot. How's the weather round the other side of the globe? I have mixed up a few things in my entry. Although I have found that indeed, plugin support is limited, and prior permission is asked to render inline elements that are externally linked, many people use the 'Display remote images' (under the Viewing preferences) option as well. Gmail has per-domain picking, and I haven't found this in Apple Mail. Although the rendering of plugin content doesn't occur when processing resources that aren't attached, it does work out in another phase of email - re-embedded in a reply, for example, or simply attachements. I've found that it's often not the programs (which I use and love) but the people using it making big faults. Thanks for pointing out some inaccuracies, I'll revise the post somewhat as it's valid critique. Christopher; although the problems identified do lie in HTML and it’s purpose, it’s the idea of HTML in the email medium that makes it even more risky; namely, allowing HTML files to be sent anonymously and over a whole new delivery path.

Mark, first of all, thanks for reading. I appreciate your work a lot. How’s the weather round the other side of the globe?

I have mixed up a few things in my entry.
Although I have found that indeed, plugin support is limited, and prior permission is asked to render inline elements that are externally linked, many people use the ‘Display remote images’ (under the Viewing preferences) option as well. Gmail has per-domain picking, and I haven’t found this in Apple Mail. Although the rendering of plugin content doesn’t occur when processing resources that aren’t attached, it does work out in another phase of email - re-embedded in a reply, for example, or simply attachements. I’ve found that it’s often not the programs (which I use and love) but the people using it making big faults.

Thanks for pointing out some inaccuracies, I’ll revise the post somewhat as it’s valid critique.

]]> By: Mark Rowe http://blog.cocoia.com/2007/03/31/apple-mail-and-its-security/#comment-543 Mark Rowe Sun, 01 Apr 2007 03:04:15 +0000 http://blog.cocoia.com/?p=42#comment-543 If you've ever used Mail it should be pretty clear that all three of your points are completely moot. WebKit in Mail does not load external images unless you explicitly click a "Load Images" button that it presents. It disables JavaScript on the embedded web view so arbitrary code is not executed. It also disables plugins. None of the "major issues" that you point out are legitimate. The only real risk is that of bugs within WebKit or Mail itself. If you’ve ever used Mail it should be pretty clear that all three of your points are completely moot. WebKit in Mail does not load external images unless you explicitly click a “Load Images” button that it presents. It disables JavaScript on the embedded web view so arbitrary code is not executed. It also disables plugins. None of the “major issues” that you point out are legitimate. The only real risk is that of bugs within WebKit or Mail itself.

]]> By: Christopher http://blog.cocoia.com/2007/03/31/apple-mail-and-its-security/#comment-541 Christopher Sun, 01 Apr 2007 02:31:15 +0000 http://blog.cocoia.com/?p=42#comment-541 I appreciate your anaylsis on the security problems HTML mail can cause, but apart from identifying someone through their email address, how is it more risky then standard HTML/XHTML over the web? I'd say that any problems it causes lie with the vulnerabilities of HTML itself (given it was hardly designed with security in mind) rather then with HTML mail clients. I appreciate your anaylsis on the security problems HTML mail can cause, but apart from identifying someone through their email address, how is it more risky then standard HTML/XHTML over the web?

I’d say that any problems it causes lie with the vulnerabilities of HTML itself (given it was hardly designed with security in mind) rather then with HTML mail clients.

]]>