Exposing email addresses on key servers
Robert J. Hansen
rjh at sixdemonbag.org
Mon Jun 29 14:51:46 CEST 2009
Brad Rogers wrote:
> I beg to differ. By sending HTML emails, it means they're likely to end
> up *receiving* HTML mail because many people's mailer replies "in kind"
> by default, and the users don't alter the default settings.
So what? The bank's already set to either strip out all dangerous HTML
tags or to render as plaintext only. The bank knows it's a target of
attack; it's already taken steps to mitigate its risk profile. Also,
the number of people who communicate with their bank via email is
vanishingly small: many banks outright refuse to deal with customers via
email for reasons of banking secrecy.
The bank has no downside to sending HTML email.
> It doesn't look professional if they are talking about security.
Fine: they lose your vote. But in the course of looking unprofessional
to you, securitywise, they look quite professional to their other
customers, who either don't know or don't care the risks of HTML email.
Computer security geeks are such an insignificant fraction of the
consumer marketplace that for most purposes we may be safely assumed to
not exist at all.
More information about the Gnupg-users
mailing list