A reason not to use browsers for e-mail - e-mail wiretapping (fwd)

[Ben Clifford]

On Wed, 7 Feb 2001, Charles Lindsey wrote:

> I think it's a bug (in Javascript or in its implementations). Wasn't
> Javascript meant to make it impossible to cause permanent external
> effects on the computer it was run on, in the same way as Java? Yes,
> I have heard that Javascript is weaker than Java, but it is almost
> impossible to read many web sites without it these days.
> Could this problem arise in Java?
> It is looking like Microsoft Word macros all over again :-( .

Javascript has a data tainting model (at least according to my O'reilly
"Javascript: the definitive guide" from a few years ago. Whether this is
implemented by IE or still implemented by Netscape, I don't know.

How can you programmatically determine if a downloaded programs actions
are safe or not?

An e-mail message that says "Welcome to Ben's mail service - click here to
upload your address book to your new central account" is not easily
machine-distinguishable from a message that says "Click here to claim your
free five pounds" [which then proceeds to upload your address book on
click]. 

I think that deciding whether data sent out from your computer is
safe to send or not is a "Turing Test" type of decision - a machine that
can make that decision correctly is goimg to be pretty sentient.

-- 
http://www.hawaga.org.uk/travel/ for my rotating world map applet
http://www.hawaga.org.uk/benc_key.txt PGP / GPG key 0x30F06950 - please use it!