On Fri 29 Jun 2018 at 10:51:26 (+0200), to...@tuxteam.de wrote:
> On Fri, Jun 29, 2018 at 10:05:47AM +0200, Aldo Maggi wrote:
> > Ok, I understand your point, but, I wonder, are you using just lynx or
> > links2 for going on Internet? The problems you correctly point out are
> > not the same with Chromium, Firefox etc.?
>
> I wouldn't be so sure about lynx et al. Here [1] is a rough but readable
> explanation on how eFail works. There are two components into it: (1)
> a format like HTML, in which the client possibly follows links without
> user interaction (more on that below) and (2) how to bury a MIME
> boundary within HTML's baroque syntax so that for the HTML parser,
> the whole (now decrypted) message forms part of that link, which will
> be "given" readily to a server out there, waiting to harvest it.
>
> More on (1): the example uses an img tag. You might argue that HTML
> capable mail readers have learnt these days to not follow automatically
> img tags (on privacy grounds), but there is a multitude of other links
> which might be followed automatically: CSS, iframes...
>
> Are you sure your l{ynx,inks} doesn't download any of them? Do you know
> by heart all of those? Do you even know where to look them up? [2]
>
> I for one wouldn't know better than to look into lynx/links source
> code. Good luck with that.
When an email is HTML-only, I use lynx to read it. It doesn't download
anything because I set commandline options to prevent it (both
automatically and if I select a link). Here's the line from my
~/.mutt/mailcap-mutt file:
# the next line is used only when an html attachment is selected in the
attachments menu
text/html; /usr/bin/lynx -force-html -localhost -stdin
which is configured in my ~/.mutt/muttrc file:
set mailcap_path=$HOME/.mutt/mailcap-mutt
I think elinks has a similar option ( -localhost 1 ), but I don't know
about the links program. I like lynx because it doesn't just dump the
output but scrolls it like the interactive mode, highlighting the
(gagged) links.
> [1] https://thehackernews.com/2018/05/efail-pgp-email-encryption.html
> [2] This isn't to make you look bad: I don't myself either! This is
> to drive home the message that "HTML" is a huge, ill-defined mess
> of standards, and that all HTML renderers out there have to be
> a steaming pile of pragmatism which is practically impossible to
> validate.
Cheers,
David.
