On 02/03/2021 15:55, Nick Hilliard wrote:
ned+ietf@xxxxxxxxxxxxxxxxx wrote on 02/03/2021 14:08:
And like it or not, outside the IETF the HTML horse left the barn a
long time back.
Bear in mind that even within the IETF, plenty of people view the entire
HTML email debate as flogging the proverbial dead horse, and when it
rolls around every several months, welcomes it in the same way that you
might welcome an outbreak of cold sores.
We can chose to deal with or ignore it, but getting
it back in the barn is not an option.
Looking at this from a different perspective, in the twenty-something
years of discussion since Content-Type: text/html first appeared, have
any actionable and viable suggestions emerged about how to deal with
html email, other than stripping it off in the archived emails?
Strip it off before sending it out to list subscribers! Perhaps an
option on the subscription for those who want to risk the HTML. I would
leave the HTML in the archive as I have more control over when and how I
access that.
The issue as I first said is privacy. I think that the IETF, along with
other parts of the industry have done a bad job of alerting users to the
potential for evil actors with a variety of protocols. There is a lot
at the moment around me based on an older technology, phones, on the
ability of evil actors to forge the number that appears on caller
display to be that of a trusted organisation, government, financial
institution and so on. There is also the trick that the caller does not
put the phone down so when you call back your trusted institution to
verify the caller, you get the evil actor's mate. And I read that the
bill for this is racking up billions, typically via push-payment fraud.
Here, the idea that opening an e-mail, or letting it be implicitly
opened for you by the system, enables someone to track when and where
you are, via HTML, will, I think, come as a surprise to many and, given
the attention that privacy has garnered in the IETF, that surprise will
be unwelcome. As I said, given all that attention, I remain at a loss
that the IETF does nothing about it, allows it on IETF lists, does not
publish text/html considered harmful. I do not see a way that evil
actors can exploit this for e.g. financial gain, but then, I do not have
the mindset of an evil actor - doubtless they are working on it.
Tom Petch
Maybe the people who are upset about html email could form a working
group, take the discussion there and write up an ID with observations
and recommendations for html emails at the ietf?
Nick
.
