A reason not to use browsers for e-mail - e-mail wiretapping

[Ben Clifford]

On Thu, 8 Feb 2001, Charles Lindsey wrote:

> > Javascript has a data tainting model (at least according to my O'reilly
> > "Javascript: the definitive guide" from a few years ago. Whether this is
> > implemented by IE or still implemented by Netscape, I don't know.

> Sorry, what is "data tainting"?

The idea is that "private" data is marked somehow as private - this data
is "tainted". Javascript code is not allowed to transmit tainted data
across the network. The taint is supposed to stay no matter how that data
is operated on. 

So if myOS is tainted data, and downloaded code says:

if(myOS == "Windows") then windowsUser=true;

then windowsUser is a tainted variable and you can't transmit it.

I have heard nothing about data tainting since I purchased the book
several years ago, so the idea has quite possibly has been abandoned.

Contrast this with the Java security model of allowing the code to
transmit any data it can its hands on, but restricting what data is can
actually get hold of.

> BUT if the warning screen comes up when you were just reading some email
> that arrived, or when you clicked on some attachment, or when you were
> not even viewing a screen at all at the time, then you would likely be
> MOST suspicious. That was AIUI the sort of scenario which gave rise to
> this thread.

You can switch on warning messages in Internet Explorer (and so I presume
also in Outlook Express), however it becomes almost unusable with them all
switched on, so people switch them off.

-- 
http://www.hawaga.org.uk/travel/ for my rotating world map applet
http://www.hawaga.org.uk/benc_key.txt PGP / GPG key 0x30F06950 - please use it!