| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 1 Mar 2006 20:23:12 +0000
From: "Nick Boyce" <nick.boyce@...il.com>
To: "Daniel Veditz" <dveditz@...zio.com>, bugtraq@...urityfocus.com,
security@...illa.org
Subject: Re: [Full-disclosure] Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities
On 2/28/06, Daniel Veditz <dveditz@...zio.com> wrote:
> Once a user has pressed the "Show Images" button--not the best label
> since it covers all remote content--that state is stored in the mailbox
> metadata/index file (.msf) and the remote content will then be loaded on
> future viewings.
Hmmm. I didn't realise the "Show Images" setting got stored, and I
don't think that's the best strategy from a privacy point of view. I
take it you mean "stored for that one message", and not "stored for
all messages from that sender", or "stored for all messages" - but
still .... it would be better to not store it at all, IMHO. Users can
always add senders to their Address Book if they want to evade the
"block-images" feature.
How about displaying more option buttons when remote images have been blocked ?
e.g. :
Show remote images this time only
Always show remote images when this message is viewed
Always show remote images from this sender
Always show remote images
Nick Boyce
--
Never fdisk after midnight
Powered by blists - more mailing lists