Re: Which is more secure Outlook or Hotmail?
"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote:
> G'day:
>
> "Stefan Kanthak" <postmaster@[127.0.0.1]> wrote in message
>
> >> How do you know it's untrusted and HTML without opening the message?
> >
> > Just discard the HTML and let the client display (not interpret!) the
> > text-part only!
>
> So "untrusted" part is kinda redundant, isn't it?
You got it;-) The internet is^Whas become a hostile environment, you
better play safer hex there.
Take a look at the default settings even of recent Microsoft products
like Outlook and Outlook Express (for example): HTML-rendering has been
turned off there! I suspect that MSFT must have had reason to do so.
> > * Can you switch to a text-only view in your browser too?
>
> In all absurdity of suggesting product instead of a practice for security,
> let's all use Lynx!
You but missed the point (and me playing devils advocate).
BTW: is "use your browser to access a hosted service to read your mail
as replacement for a local MUA" not changing product for practice too?
Does your hosted service offer a setting "show foreign content as text"?
Can you rely on that setting?
Thats most often stored in a cookie on the client. You change the client,
access the service from another user account on your own PC, or even
from a public PC in an internet cafe, and the setting is gone.
Or, in more detail: almost all hosted services use DHTML and therefore
need J^HECMAScript enabled in the clients browser. Are you really sure
that the hoster has taken all precautions to filter out ECMAScript in
mails viewed with his service? XSS attacks too? IFrames? Plain HTML?
> > If a hosted service ever gets compromised that might be helpful.-)
>
> No. I have, and I'll continue opening HTML pages wherever I like. Avoiding
> advanced features that are available in modern software is no substitute for
> secure computing.
Not as long as the (wrong) use of these advanced features opens security
holes! See above: the internet is hostile. And Joe Average can't tell the
difference between a website that is susceptible to XSS/phishing and one
which is not.
> > * Can you switch your hosted service to display foreign, untrusted
> > content without any embedded malicious code?
>
> You tell me - can I do that in Hotmail?
Don't know, I've never used Hotmail. But see above. Hotmail is just in
the subject.
> > Don't you use a browser to access Hotmail or other hosted services?
> > Then you'll have to update that browser.
>
> I have mentioned one browser that never required updates because there are
> no (known) vulnerabilities in it. I'm also currently use Symbian browser on
> a Nokia microcomputer. Software that doesn't require updates is here for a
> while now. And hosted services tend to be better maintained from security
> perspective because they are bread and butter for those running them.
As above: can Joe Average tell whether the browser he uses on his gadget
is secure? Or just up-to-date with security patches?
Can he visit his online banking website without fear of phishing?
Maybe you and I (and some more people) can tell, but Joe or his kids just
want to have fun on the net. And when their favorite website with (as
either Steve Riley or Jesper Johansson put it) the "naked dancing pigs"
require to enable scripting and plugins/ActiveX they'll most probably do so.
So, in short: using a (properly configured and up-to-date) MUA/NUA to read
mail and news is in general more secure for Joe Average.
Stefan