A reason not to use browsers for e-mail - e-mail wiretapping (fwd)

[Charles Lindsey]

	On Thu, 8 Feb 2001 11:26:22 +0000 (/etc/localtime)
	Ben Clifford <benc@hawaga.org.uk> said...

> Javascript has a data tainting model (at least according to my O'reilly
> "Javascript: the definitive guide" from a few years ago. Whether this is
> implemented by IE or still implemented by Netscape, I don't know.

Sorry, what is "data tainting"?
> 
> How can you programmatically determine if a downloaded programs actions
> are safe or not?
> 
> An e-mail message that says "Welcome to Ben's mail service - click here to
> upload your address book to your new central account" is not easily
> machine-distinguishable from a message that says "Click here to claim your
> free five pounds" [which then proceeds to upload your address book on
> click]. 

I think it would be reasonable for a Javascript implementation, when
obeying a command that caused data to be uploaded, or email sent, to
put up a window saying "the script on the page <http:www.....> that you
are currently viewing wishes to upload/send email/whatever; click here
to proceed". If that comes up when you have just agreed to upload your
address book, or even claim your five pounds, you will likely click
automatically (it depends whether you are willing to trust the site
concerned - with Ben's email probably yes, with free offers of five
pounds maybe no).

BUT if the warning screen comes up when you were just reading some email
that arrived, or when you clicked on some attachment, or when you were
not even viewing a screen at all at the time, then you would likely be
MOST suspicious. That was AIUI the sort of scenario which gave rise to
this thread.


Charles H. Lindsey ---------At Home, doing my own thing------------------------
Email:     chl@clw.cs.man.ac.uk  Web:   http://www.cs.man.ac.uk/~chl
Voice/Fax: +44 161 436 6131      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9     Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5