Hacker News new | past | comments | ask | show | jobs | submit login

I use Thunderbird and keep it set as text only for sending and remote images loading is disabled by default (as it should be). JavaScript in emails is not loaded or run.



Thanks.

> I use Thunderbird and keep it set as text only for sending

Is that an option for viewing messages? That's where the security risk mostly exists.


View - Message Body As - and then your options are Original HTML, Simple HTML, and plaintext.

Loading of external images is fully disabled by default. You can enable it per-email by clicking as well as per-sender (which I don't personally do or recommend).

Showing as text is mostly unnecessary, though, as Thunderbird does not allow Javascript or any plugins within messages. As a result, the attack surface is significantly reduced compared to a browser as most browser-based attacks are via Flash, PDF, Java, Javascript, etc in decreasing order of popularity. That wipes out the vulnerabilities used in the vast majority of attacks right off the bat. Thunderbird uses the Gecko engine underneath which is up to date and version tied to Firefox ESR, so the engine gets security updates basically same-day as Firefox itself, which is another big point in its favor.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: