On Fri, 14 Jun 2013, Thomas L?bking wrote:
On Freitag, 14. Juni 2013 19:31:50 CEST, Jan Kundr?t wrote:
and expected the users to be aware of the risks
Depends on "users" - as long as pot. facebook an trojit? users are disjunct,
this is probably true.
But the majority of all users will just see the need to allow domains as
needless annoyance. And they will click *ever* if they trust the sender once,
regardless of the "domain" ("that's lists.flaska.net, ie. the part after the
@, is it?") unless you scare them with an annoying warning everytime they
try.
repeated scary warnings are worse than useless. They desensitize users about
other, more important, warnings.
What do you propose?
Given that the amount of domains under a users control will be rather readily
comprehensible (if any)?
A warning and a lineedit to enter a CSV list, supporting wildcards
(*.company.com) on > 2nd level domains (not "*.com")
To me, and with the threat model that I can imagine, the target
domain is the only information which can be trusted, at least
until Trojita ships with support for verifying signed mail. Do
you see a flaw in this reasoning?
Not at all.
I see a flaw in providing users a "click-me" button to build that list.
Adding that ability to a "yes, i know what i am doing - it's my server"
experienced admin is hardly any problem. They're paid to know what they're
doing.
Enabling regular users to do that, with the ability to act-without-thinking,
exposes them to self-damaging. They're certainly (often...) able to oversee
the current situation (spam ./. notspam) but not to create a reasonable
filter for certain actions, understanding that it's not secure to trust
imageshack, just because it's a popular service and "likely not infiltrated".
Given that the threat is limited to "you'll get more spam" and not "you're
now a drone", one could argue: "pfff... evolution" - but that's not very nice
(and you can be sure that they'll blame you for their mistakes ;-)
You cannot protect all the users. If you try you will just make the software
worthless.
and to be realistic, most images are not actually attacks (although a large
portion of the images in spam e-mails are some sort of threat, even if it's just
"confirm this message was opened" info)
If you want to have some sophisticated approach to block images, make a plugin
interface for it and let people use spamassasin, blacklists, etc to block
things.
But for the generic Trojita build, have a configuration that lets you
require manual opening of images
auto open all images
auto open only if on 'cheap' Internet connection
_possibly_ override the default on a per-folder basis
_possibly_ add a flag to a message to auto-open the next time
if you try and get more complex than that, you are well into the relm of
diminishing possibilities
And if you just block all images, you end up not protecting the users anyway as
they will move to a mail client that will let them see the kitten pictures that
people send to them without such horrid annoyances.
David Lang
