-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Jun 27, 2018 at 02:47:17PM -0700, Patrick Bartek wrote: > On Wed, 27 Jun 2018 22:19:53 +0200 > Aldo Maggi <aldo.ma...@poste.it> wrote: > > > It is now more than one year I have to manually send html content to > > a browser to see it
[...] > I checked around the last time you posted this query. Couldn't > find it [...] > I'm sure that "security problem" has been fixed. That was from when > Wheezy was Stable. To be fair, HTML mails dont "have" this or that "security problem", they are a *constant source* of security problems. Be it that they use links that auto-resolve (yes, you can disable loading images, and most sensible MUAs do it, but what about CSS? Do you know what other resources HTML is set to load?). For one recent example on how HTML mail can subvert (S-MIME) encryption, see efail [1] (and no, don't follow EFF's recommendation quoted there to disable PGP -- better disable HTML). The biggest problem (apart from its sheer complexity) is that HTML is a moving target: soon it won't be HTML without Javascript. Me? I don't want my mail user agent executing programs sent by some random spammer, thankyouverymuch. Cheers [1] https://arstechnica.com/information-technology/2018/05/decade-old-efail-attack-can-decrypt-previously-obtained-encrypted-e-mails/ - -- tomás -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAls0gkcACgkQBcgs9XrR2kZWMACfbZRSQtidhrjCHXMdkTJDvq3s NlgAnArXEipedrlOcZonvIddiT7ECYnY =K7jn -----END PGP SIGNATURE-----
