[Pan-users] HTML posting Was: Should "Go Next Watched Article" work?

[Duncan]

manthony-hrKqIoV4s10AvxtiuMwx3w posted on Fri, 27 Sep 2013 06:51:46 -0700
as excerpted:

> I tried your suggestion: View My Messages Only, then View Threads.  It
> kinda works, but involves a lot of mouse clicking.  I like the keyboard
> shortcuts better.  I guess I'll stick with 0.14.2.91 for now.

Of course the mouse clicks can be turned into keyboard shortcuts, since 
pan allows assigning keyboard accels to anything on the menu, but that 
just makes it a lot of keyboard shortcuts instead of a lot of mouse 
clicks.

But I do the keyboard shortcut thing with, for instance, the match only 
unread articles option (assigned to "r" for "read", here), since viewing 
unread-only is my normal mode of operation, but every once in awhile I 
need to toggle it off to check a parent post or to lookup a thread from a 
month ago to mention elsewhere or to post a link to (since gmane 
conveniently has a web interface link to the post as an added header in 
the message in the news interface).  Then of course I'd have to toggle it 
back afterward.  So I use the function often enough to find a keyboard 
shortcut for it handy indeed! =:^)

> WRT HTML malware, I suppose it's possible, but it seems that you would
> have to have pretty lax defaults for your browser and OS for that to
> really be a serious problem.  I worry more about my email address
> leaking onto the Internet, and being deluged with offers to improve the
> size/function of my reproductive organs.

With email, one of the tricks spammers use to verify an address is 
sending an HTML mail that references an image on their site.  Since they 
had the address in ordered to send you the spam in the first place but 
just didn't know if it was still valid, they encode it in the query 
string (sometimes as the bare address, sometimes obfuscated) and log the 
requests for that image on their website.  Anyone who opens that mail in 
an HTML-capable mail client (at least one that doesn't have external 
resource fetching turned off for email) now has their email address 
logged as verified!!  This sort of tracker image is called a web bug.

Sometimes (but not always) a web bug is only a 1x1 px transparent gif/png, 
DESIGNED to add nothing to the visual appearance of the page as it's 
invisible and too small to affect spacing much, making its only function 
tracking.  (Of course they can use the same technique for anything else 
requested externally, a CSS file or javascript, for instance, but 
javascript is turned off frequently enough that doesn't work as well, 
unless they're actively fishing for low security readers!  I'm not sure 
how effective CSS web bugs would be compared to images.)   Web bugs are 
commonly used for browser tracking on the web as well, tho in that case 
they don't normally have the email address available, but can still 
correlate IP address and information such as browser used, etc.

In the newsgroups as on the web (but not in email), the email address 
isn't generally available, but web bugs can still be used to measure how 
many views a spam post gets on a particular group, etc, so they can see 
which types of subject headers get people to click in which groups, and 
how many hits they get from each group.  And of course they have the IP 
address that made the request, which they can cross-correlate with other 
information to see what ISP and city it came from, and possibly with 
unrelated browsing, etc.

Web bugs are technically spyware, not malware, but when only malware is 
mentioned, it often includes spyware by implication -- it's still 
tracking not authorized or consented to by the user being tracked, and 
thus is malware in the broader sense.

Fortunately, some HTML capable mail and news clients turn off external 
resource fetching by default, these days, but I wouldn't count on it if 
you don't see the option available, and even then, I wouldn't necessarily 
trust the option due to bugs, etc.

Then of course there's all the java/javascript/flash/etc vulnerabilities 
that have been found over the years.  If your mail/news client is 
treating the message as simple plain text, data, not executable, that's a 
whole class of vulnerabilities, indeed, the majority of browser related 
vulnerabilities, it will not be subject to.  If it's treating messages as 
active HTML, just as it would a web page, and worse, if it's actually 
executing the java/scripting/flash/etc...


Meanwhile, how many non-spam/non-malware messages actually NEED HTML to 
deliver their message effectively?  And for the ones that DO actually 
need it, there's always the ability to post a link to a web page along 
with a description of what the reader can expect to find there, and let 
the READER decide whether it's worth clicking that link, or not.

Thus, it's basically only the spammers and malware posters that NEED HTML 
to hide some of their filter avoidance tricks or to attempt exploits -- 
even if it's as simple as a web bug and won't actually do anything 
horrible to the reader's machine, it's still non-consensual tracking and 
information leakage.  Other than that, the vast majority of users posting 
in HTML simply don't realize the implications of what they are doing, and/
or simply don't care.

This is why some people, often group/list regulars who know the topic 
well and otherwise might provide the best answers, killfile HTML posters 
on sight.  The argument is that at best, they're a technically illiterate 
AOLer type who doesn't know or care the implications, and it's simply not 
worth the time it takes to even see further messages from them... so they 
arrange not to.

Here, I've seen even people who are normally HTML message averse get 
caught-out unexpectedly posting it, when they're posting from their phone 
or gmail or some client that unfortunately defaults to HTML and they just 
lost their config resetting that to plain-text.  That's yet another 
reason not to choose a mail/news client that even processes HTML in the 
first place -- in addition to the better security on the reader side, you 
won't get caught-out posting it, that way.  Between that and preferring 
to give every poster at least one chance (hey, what can I say, I guess 
I'm a bleeding heart in that regard), I do NOT killfile HTML on sight, 
but I will if someone continues to post in HTML after a warning or two, 
as to me, it's comparable to sliming your hand with snot and then 
offering to shake hands (hey, for all I know that's the custom in some 
weird tribe somewhere!) -- it's EXTREMELY offensive and disrespectful.  
Yet still I prefer to give people that first chance, as for all I know 
they /do/ come from that tribe where sliming one's hand with snot and 
offering to shake hands is the custom.

Of course that doesn't mean I won't make sure I have on my latex gloves, 
a client that doesn't parse HTML at all in this case, before I actually 
/shake/ that offered slimy hand. =:^)

In that context, you can see why I consider HTML such an offense compared 
to top posting.  It's not that top posting is acceptable at all.  It's 
that HTML posts are so horribly unacceptable, that top posting pales in 
comparison.  Sort of like how the Syrians butchering each other isn't 
really acceptable, but is sort of ignored/tolerated, while pulling out 
the chemical weapons is considered an entirely different class of offense!

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman