[Dshield] Good e-mail client?
lsaplai at telus.net
Mon Mar 8 01:35:47 GMT 2004
On 6 Mar 2004 at 19:01, Pete Cap wrote:
> Hey everyone.
> Thanks for the tips. I am going to compare Pegasus and Mozilla for a
> As far as promoting the use of "safe" programs...
> Let me head off one argument right away:
> Someone is going to mention that "security through obscurity" is not
> the way to go. To a certain extent I believe that this is true, and
> that using applications which are not widespread (OpenOffice, free
> mail clients, etc.) in an effort to "dodge" common traps is not a very
> robust solution to security concerns. To use the biological metaphor,
> malware exists because there is a niche in which it can exist; if we
> promote "safe" software and everyone starts using it, then it would
> only be a matter of time before someone begins finding vulnerabilities
> and so forth.
> However! ...If I use open-source software there is a good chance that
> any vulnerabilities in the package will be found and will be patched
> long before someone can write exploit code or a worm. That's the
> great thing about open source--the community makes it strong. There
> are numerous examples of M$ failing to patch on time when they KNEW
> there were vulnerabilities...I don't need to explore this.
Hi Pete and al
Thanks for your feed back
I think that my "idea" is not so much as to promote security through obscurity, but rather
to promote security through multiplicity on one hand and security through applications
well designed, security through the promotion of developers who care about the security
of their users, on the other hand.
That can be achieved by carefully selecting your vendor, by selecting open source
software and software that respect international standards.
As you said, Open Source is a good way to go because anyone (with sufficient
technical skills, ie not me) have the possibility of reviewing the code, point out and
correct vulneranilities in no time.
Standard compliance is also important because it ensures the interoperability of
software. SMTP is not a secure protocol at the time. However, it is conceivable that the
community eventualy designs a secure version of SMTP which would ensure privacy,
confidentiality and limit the dispersion of unsollicited e-mail. In that respect, I think that
standards play a role equivalent to open source software: a peer review of a process
and a common decision on how to operate whch, thereafter gives an independent
developper to implement his own software: everyone and anyone will know and
understand how the software operates and have a idea of the levels of security it
includes. You know how SMTP works and you know it is not secure. You also know that
if the software implements SMTP over SSL, then it becomes secure.
If we take the exemple of e-mails, there a few different applications around. We know
that the most widely used ones (namely Outlook and Outlook express) are also
amongst the least secure, by design. I stand by that statement as I firmly believe that
allowing an e-mail application to execute scripts intended for web browsers or to
download anything else than mail messages without the user knowledge (web bugs...)
is inherently unsafe.
Some currently available mail clients will not, by default, dowmlaod any image from the
Internet in order to display a message, nor will they execute any kind of script.
I am aware that these are not perfect applications either: they have their own flaws and,
under enough scrutiny will probably show some weaknesses. It is probably possible to
crash any mail program by designing the right (or wrong shold I say) message. But that
would only be a locale denial of service, which should be eliminated by eliminating the
Now, if you remove scripting capabilities, web browser engine, ability to download
images off web servers to Outlook and OE, then you can suddebly make them
significantly more secure, although, for what I have seen, more "boring" to use, ie less
feature rich. I think it also kind of kill there use (at least for OE) as full collaboration
tools. Now, why would anyone (or at least, and more modestly, why would I) want my
mail client to display a word document or a spreadsheet? After all, I have a word
processor and a spreadsheet program installed, let's use them!
As John (Holmblad) said, there are a lot of things to take into consideration, such as
online collaboration... I work for a small company and I am a consultant for small
businesses, so certainly my options, and solutions, are different from someone else's.
Nevertheless, and to link back to your original question, Pegasus Mail (for instance and
because I know it better) is used by very large corporations and universities across the
World and millions of individuals.
Yourself, you are advertising the fact that you want to use the "right" software, probably
hoping to have a more secure and user friendly experience (I have been focusing my
post on security but you probably also have other motives to look for a "different" mail
To conclude, I would repeat that I promote the use of safe software. By safe, I do not
mean some obscure software that noone ever heard off. That would be promoting
security through obscurity. By safe, I mean software which have stand the trial of time
and masses, software which are compliant to international standards and, why not,
open source software (it just happens that I am mostly using close source apps on my
Finally Pete, I am addressing this message to you, but do not see anything personal in
it. It is only for the sake of the discussion.
If you need guidance with Pegasus Mail, do not hesiate to join the support lists.
Good luck with your testing.
Sic transit gloria mundi...
Arma cedant togae
More information about the list