'[sylpheed:22150] Re: Important : Need to disable HTML'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sylpheed
Subject:    [sylpheed:22150] Re: Important : Need to disable HTML
From:       Bob Apthorpe <apthorpe-sylpheed () cynistar ! net>
Date:       2003-12-27 18:44:44
[Download RAW message or body]

Hi,

On Sat, 27 Dec 2003 12:24:54 +1030 Mark Smith
<sylpheed@ecd454c569bd3359dd78788d1c15ea30.nosense.org> wrote:

> On Fri, 26 Dec 2003 12:04:43 -0600
> Tommy Reynolds <Tommy.Reynolds@MegaCoder.com> wrote:
> 
> > My, my, my.  What a lot of activity because someone clicked on a link
> > in an email and was actually taken somewhere.
> > 
[snip]
> 
> However, other people are likely to get tricked in more easily. If
> Sylpheed can help prevent that, it can only be an improvement, further
> making it one of the better MUAs out there.
> 
> I like the double-click URL feature of Sylpheed. I don't mind that it is
> rendering HTML either. My only concern, which is why I posted the
> original message, was that these features of Sylpheed, in their current
> form, can only assist "phishermen" in their quest. 

Semi-OT: One of my favorite remarks about perl is "Perl does what you
expect, provided you expect the right thing..." In this case, one should
probably expect that clicking a link tells one's browser to follow that
link. One also expects that the link and the link text are related. This
is more a social (engineering) or trust issue than a raw coding issue.
Since phishers are getting more sophisticated in their attacks, it would
be a convenience if the software could take reasonable and limited steps
to defend against these sorts of attacks.

Mind you, I don't like cloying 'think for the user' bloatware, but I do
appreciate code that tersely and gracefully deals with common problems.
I'm a perl coder so I may tend to oversimplify things, but I'd be
satisfied by:

if (link text resembles a domain/URL)
  and (link domain differs from link text) then
    warn user about suspect link
else
    render link normally
endif

Trying to put too much intelligence into this is liable to result in
wasted time and broken code; still, URLs resembling:

  http://www.citibank.com@1116196952/redir.pl?dest=http://216.109.118.74/not/really/citibank

ought to set off some warning. At least it should be shown to the user
so they can decide for themselves whether the link is worth following.
The big problem is that currently, the software doesn't provide the user
with enough information to reasonably make that decision (to be fair, I
don't know that any MUA does this.)

-- Bob

PS: I've been permanently brain-damaged by reading Knuth's articles on
Literate Programming, which is one of the reasons I recommend "Elements
of Programming With Perl" from Manning Press over Randal Schwartz's
"Learning Perl" from O'Reilly. Also, I don't like Randal's coding style
-- too terse for my taste. LP is interesting, produces awful-looking
source code, but it's frighteningly easy to understand and change.

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic