On 05/15/2018 12:05 AM, Marina Brown wrote:
Remember the campaign against HTML email ? I do. We were right.
The campaign is still ongoing. Maybe we have lost in the case of the
vast majority of marketing/advertising lists, but Thunderbird and other
email clients (thankfully) offer the option to not automatically load
external links by default.
I do think a future version (actually, the next version) of Thunderbird
and/or Enigmail need to put up a big huge "danger" warning when they
detect HTML email mixed with encrypted content, especially when it looks
like someone has tried to put an encrypted blob as the destination of a
link (which as I understand it, is how this exploit works). There's no
good reason to do this, and plenty of bad reasons.
--
Shawn K. Quinn