[Dshield] Good e-mail client?

Laurent Saplairoles lsaplai at telus.net
Mon Mar 8 01:35:47 GMT 2004



On 6 Mar 2004 at 19:01, Pete Cap wrote:

> Hey everyone.
> 
> Thanks for the tips.  I am going to compare Pegasus and Mozilla for a
> bit.
> 
> As far as promoting the use of "safe" programs...
> 
> Let me head off one argument right away:
> Someone is going to mention that "security through obscurity" is not
> the way to go.  To a certain extent I believe that this is true, and
> that using applications which are not widespread (OpenOffice, free
> mail clients, etc.) in an effort to "dodge" common traps is not a very
> robust solution to security concerns.  To use the biological metaphor,
> malware exists because there is a niche in which it can exist; if we
> promote "safe" software and everyone starts using it, then it would
> only be a matter of time before someone begins finding vulnerabilities
> and so forth.
> 
> However!  ...If I use open-source software there is a good chance that
> any vulnerabilities in the package will be found and will be patched
> long before someone can write exploit code or a worm.  That's the
> great thing about open source--the community makes it strong.  There
> are numerous examples of M$ failing to patch on time when they KNEW
> there were vulnerabilities...I don't need to explore this.
> 
Hi Pete and al

Thanks for your feed back

I think that my "idea" is not so much as to promote security through obscurity, but rather 
to promote security through multiplicity on one hand and security through applications 
well designed, security through the promotion of developers who care about the security 
of their users, on the other hand.

That can be achieved by carefully selecting your vendor, by selecting open source 
software and software that respect international standards.
As you said, Open Source is a good way to go because anyone (with sufficient 
technical skills, ie not me) have the possibility of reviewing the code, point out and 
correct vulneranilities in no time.
Standard compliance is also important because it ensures the interoperability of 
software. SMTP is not a secure protocol at the time. However, it is conceivable that the 
community eventualy designs a secure version of SMTP which would ensure privacy, 
confidentiality and limit the dispersion of unsollicited e-mail. In that respect, I think that 
standards play a role equivalent to open source software: a peer review of a process 
and a common decision on how to operate whch, thereafter gives an independent 
developper to implement his own software: everyone and anyone will know and 
understand how the software operates and have a idea of the levels of security it 
includes. You know how SMTP works and you know it is not secure. You also know that 
if the software implements SMTP over SSL, then it becomes secure.

If we take the exemple of e-mails, there a few different applications around. We know 
that the most widely used ones (namely Outlook and Outlook express) are also 
amongst the least secure, by design. I stand by that statement as I firmly believe that 
allowing an e-mail application to execute scripts intended for web browsers or to 
download anything else than mail messages without the user knowledge (web bugs...) 
is inherently unsafe.
Some currently available mail clients will not, by default, dowmlaod any image from the 
Internet in order to display a message, nor will they execute any kind of script.
I am aware that these are not perfect applications either: they have their own flaws and, 
under enough scrutiny will probably show some weaknesses. It is probably possible to 
crash any mail program by designing the right (or wrong shold I say) message. But that 
would only be a locale denial of service, which should be eliminated by eliminating the 
improper message.

Now, if you remove scripting capabilities, web browser engine, ability to download 
images off web servers to Outlook and OE, then you can suddebly make them 
significantly more secure, although, for what I have seen, more "boring" to use, ie less 
feature rich. I think it also kind of kill there use (at least for OE) as full collaboration 
tools. Now, why would anyone (or at least, and more modestly, why would I) want my 
mail client to display a word document or a spreadsheet? After all, I have a word 
processor and a spreadsheet program installed, let's use them!

As John (Holmblad) said, there are a lot of things to take into consideration, such as 
online collaboration... I work for a small company and I am a consultant for small 
businesses, so certainly my options, and solutions, are different from someone else's.

Nevertheless, and to link back to your original question, Pegasus Mail (for instance and 
because I know it better) is used by very large corporations and universities across the 
World and millions of individuals.
Yourself, you are advertising the fact that you want to use the "right" software, probably 
hoping to have a more secure and user friendly experience (I have been focusing my 
post on security but you probably also have other motives to look for a "different" mail 
client).

To conclude, I would repeat that I promote the use of safe software. By safe, I do not 
mean some obscure software that noone ever heard off. That would be promoting 
security through obscurity. By safe, I mean software which have stand the trial of time 
and masses, software which are compliant to international standards and, why not, 
open source software (it just happens that I am mostly using close source apps on my 
Windows station).

Finally Pete, I am addressing this message to you, but do not see anything personal in 
it. It is only for the sake of the discussion.

If you need guidance with Pegasus Mail, do not hesiate to join the support lists.
Good luck with your testing.

Cheers!

-- 
Laurent
Sic transit gloria mundi...
Arma cedant togae






More information about the list mailing list