Security Request: Fundamentally change the way non-mailto links work

[Kris_88]

you've given me enough information about your philosophy on security

Off-topic:
I'm afraid you have drawn the wrong conclusions. I'm not saying that developers should make trust decisions for the user. I'm saying that mechanisms should be developed that allow the user to safely run programs, open links, etc., regardless of whether the user trusts or does not trust. For example, why does the regular Notepad program have access to all my files, and not just the file that I open? Why is there no isolation of programs from each other and from my data? Programs have too much power, so I have to make decisions about trust. The issue of trust becomes very important, and this could have been avoided.
But this is really offtopic...

[Bilbo47]

clicking links in e-mail in itself is not an insecure or dangerous operation; the danger happens afterwards and invariably by the user's action.

This is a technical distinction that does nothing to help with the problem. The majority of CVEs are in browsers. That's not completely relevant, but...

For example, the current security hole in WebP/VP8, combined with easy MitM attacks via http (not https). There are many ways to chain some vulnerabilities together to achieve malicious effect, and click-auto-open is frequently the first link in the chain "that can be blamed on the user". User-blame is not reasonable when we're talking about normies.

Drive-by downloads and zero-click executions are a real thing.

I filed a BZ bug about abuse of page visits to automatically initiate downloads

Cool. Respect.

should not be a mail client's responsibility.

This security idea should be extended to browsers also, and maybe to anything that is click-navigable. I'm frustrated that anyone would dismiss it so quickly.

[Moonchild]

This is a technical distinction that does nothing to help with the problem.

The distinction is essential, though. It's like saying there's no difference between driving your car on the road and running a red light causing an accident. Technically, you're still driving the car when you run the red light, but the driving itself isn't the problem.

The majority of CVEs are in browsers.

Why? because:

• The vast majority of CVEs are caused by hostile foreign content
• Browsers are the main and often only application loading foreign content as a matter of course
• The web spec is obscenely large and complex and thus has a massive attack surface

Does the fact that it's the largest number of common vulnerabilities say anything about the nature or severity of them? Nope.

click-auto-open is frequently the first link in the chain

To re-use the analogy: starting your car is also the first link in the chain of events leading to an accident. If you never drive, you won't run that red light
As Athenian already pointed out: if you use webmail, there is also click-auto-open on links in e-mails. And in fact, that kind of click is even more hazardous because it is not an isolated URL but involves a full-blown web navigation which send a ton more information to the landing site of that link.

User-blame is not reasonable when we're talking about normies.

User-blame is always reasonable. "Normies" as you so unceremoniously call them still have the responsibility to use their brain when being on the web. If you want to make software that will protect the user from any blame, it by definition cannot be dealing with foreign content you have no control over.
"Normies" will also be suffering from confirmation-fatigue and generally don't care what roadblocks are thrown up because their intent is to visit the link clicked and they will pretty much autopilot through whatever confirmation dialog to make it happen, especially if thrown on every link clicked.

[athenian200]

For example, the current security hole in WebP/VP8, combined with easy MitM attacks via http (not https). There are many ways to chain some vulnerabilities together to achieve malicious effect, and click-auto-open is frequently the first link in the chain "that can be blamed on the user". User-blame is not reasonable when we're talking about normies.

The only reason I feel comfortable publishing Epyrus at all, is precisely because I don't expect people like that to use it. If I'm wrong and they are, then maybe I really shouldn't be distributing a program like this... I really don't think I can make Epyrus safe for normies. If that's an expectation people have, maybe I need to have some kind of warning in the installer that it's intended for advanced users? I don't know.

If I were trying to make something safe for normies, I would rip out half the features of Epyrus, use large icons, and basically make it look like a Fisher Price toy, and basically restrict people from doing anything with it other than the simplest things... in other words, I'd make it like every other e-mail client out there.

[Moonchild]

The only reason I feel comfortable publishing Epyrus at all, is precisely because I don't expect people like that to use it. If I'm wrong and they are, then maybe I really shouldn't be distributing a program like this... I really don't think I can make Epyrus safe for normies. If that's an expectation people have, maybe I need to have some kind of warning in the installer that it's intended for advanced users? I don't know.

I think "Normies" will use Chrome/Edge to use GMail/Outlook.com or other webmail, anyway. They likely wouldn't be using Epyrus, and if they do they are at least willing to learn, is what I think, so......

[frostknight]

The majority of CVEs are in browsers.

Off-topic:
We can all thank the creators of java, javascript for making this a million times worse than it needed to be.

Those are beginner programming languages if I recall and only experts should make code for the open web.

If you need people to code the web, it should be people who can use C programming without making only minor errors. That kind of intelligence would work for making the internet good.

Otherwise its like bringing a patient to a butcher so they can be your doctor. Let's just say, that is going to cause a huge problem.

[moonbat]

We can all thank the creators of java, javascript.

Please don't confuse the two just because they start with the same 4 letters
Java has nothing to do with the end user facing web in browsers; applets were popular for maybe 5 minutes before Flash totally made them irrelevant for dynamic browser content. It is a robust and platform agnostic programming language used primarily on the server side.

[frostknight]

We can all thank the creators of java, javascript.

Please don't confuse the two just because they start with the same 4 letters
Java has nothing to do with the end user facing web in browsers; applets were popular for maybe 5 minutes before Flash totally made them irrelevant for dynamic browser content. It is a robust and platform agnostic programming language used primarily on the server side.

So adobe java was never a security risk?

Last I checked it was?

Maybe I am mistaken?

Also, there was a Log4j vulnerability that affected millions of apps it was discovered on minecraft ironically.

And they kept trying to fix it but it kept staying broken lol.

Not sure if they fixed it completely yet...

[moonbat]

So adobe java was never a security risk?

It has to exist first to be a security risk. There's no such thing as 'Adobe Java'
Sun Microsystems developed Java and later Oracle bought them out. Originally Java was used for applets in the browser and like I said, those never really caught on because Flash was a far superior option. Most people could get by without installing the Java runtime and its associated NPAPI plugin.

[Moonchild]

adobe java

Java was never an Adobe product.

Maybe I am mistaken?

Looks like it! or at least confused about several technologies surrounding web browsers

[frostknight]

adobe java

Java was never an Adobe product.

Maybe I am mistaken?

Looks like it! or at least confused about several technologies surrounding web browsers

Off-topic:

Hmm... well its still a bloated programming language regardless. Nothing good comes from overly-complex scope creep. Devuan and Hyperbola devs have made this more obvious as a fact.

They don't use as much and it functions much more efficiently... so.. yeah.

[frostknight]

So adobe java was never a security risk?

It has to exist first to be a security risk. There's no such thing as 'Adobe Java'
Sun Microsystems developed Java and later Oracle bought them out. Originally Java was used for applets in the browser and like I said, those never really caught on because Flash was a far superior option. Most people could get by without installing the Java runtime and its associated NPAPI plugin.

My bad, I got confused. Yes that is what I was thinking of.

Oracle java... not adobe java.

my fail...

xD

[Kris_88]

However, there is a difference between links on web pages and in emails. Links in the letter are intended for a specific recipient and may be not present on any web pages, that is, automatic services for checking sites for viruses may not see these links and other people will not complain. An attacker may have some specific information about the user’s operating system, his set of programs, etc. In general, a special attitude towards links in letters is quite justified.

[Bilbo47]

The only reason I feel comfortable publishing Epyrus is precisely because I don't expect [normies] to use it. ... I don't think I can make Epyrus safe

Eeep please don't do any dumbing-down The major reason I use Epyrus and other apps around here is precisely because they're aimed at "power users".

[Navigator]

In addition, how would this ever help anyone where the links in an e-mail are click-tracking domains (very common practice)? Those never show the target domain either (and while Epyrus shows a potential scam warning in that case, it's pretty much something everyone ignores these days because notification mails, newsletters etc. etc. all employ statistical trackers these days). How could a user know before navigation whether it's a statistical tracker or a malicious site?

My two cents: I block loading of external content in email and rarely click links. I don't ignore those warnings. Not arguing for this feature though.