[unisog] antivirus that works despite ssl
brennan at columbia.edu
Mon Jul 9 15:55:27 GMT 2007
power less <absolutelynopower at gmail.com> wrote:
> I'm staying away from
> the word antivirus now. That seems to imply to a lot of people that
> there is A VIRUS, or there isn't. Nothing less than that is a non-issue
> for them apparently.
If this refers to my previous message, it's quite a distortion. My
point was that identifying virus in email is a different thing than
identifying other threats like links in email to bad web pages. If
a given antivirus product found nothing in these messages, that made
sense to me since there was no virus in them.
> There have been a lot of click-free exploits historically often
> particularly some kind of multimedia thing.
Sure. This is the case for not rendering scripts in email--
either use a client that ignores them, or have the server comment
out script tags. The latter is more generally applicable.
I'll propose a more radical idea too: clickable links are bad.
It's pretty easy to click accidentally with a touchpad. In the
threat pages you cited, one "Solution" offered is never to click
on links. If people had to copy and paste into a browser maybe,
just maybe, they'd think for a half second.
Ideally email clients would render only a subset of html needed
to format text. No reading files from the net, no scripts, no
I don't expect these protections to be implemented by popular
software because they go against commercial interests. Gmail is
not going to disable web bugs, or stop making every reference to
a hostname or IP address into a clickable link; advertising is
their only source of income. Outlook is not going to do anything
like that either since the companies buying Exchange want to do
We've been making some efforts here to stop the worst of it, just
using perl code executed by the Mimedefang milter. We disable
scripts by commenting out the tags, for example.
I wonder how much users are ready for. Is anyone actually
following a security "Solution" like telling users never to click
links in mail, or to read mail in plain text?
Lead Email Systems Engineer
Columbia University Information Technology
More information about the unisog