Community Discussions and Support
Email hyperlink security: Is clicking from within a browser safer?

I have been following the discussion regarding the remote image handling now available in IER 2.6.5.0, specifically the ability to grant permissions that allow images from sources that are different from the sending source (eg: allowing redirection for image loading). When I think about this, I envision that it mostly pertains to ads and newsletters made up of synopsis/hyperlinks to articles from different sources. I believe that loading these images encourages the clicking of email links. When I managed a multi-user enterprise installation of Pegasus Mail I worked very hard to discourage hyperlink clickers. I did not train users on how to allow remote graphics instead showing them how to open messages in a browser. I know that things are changing and that I no longer attempt to keep up so would love to see a discussion today about whether clicking links in emails is any more hazardous than clicking the same links from within a browser. Forget about the convenience factor, just from a security standpoint, do browsers provide any additional security over what IERenderer provides with all of its security options enabled?


I have been following the discussion regarding the remote image handling now available in IER 2.6.5.0, specifically the ability to grant permissions that allow images from sources that are different from the sending source (eg: allowing redirection for image loading). When I think about this, I envision that it mostly pertains to ads and newsletters made up of synopsis/hyperlinks to articles from different sources. I believe that loading these images encourages the clicking of email links. When I managed a multi-user enterprise installation of Pegasus Mail I worked very hard to discourage hyperlink clickers. I did not train users on how to allow remote graphics instead showing them how to open messages in a browser. I know that things are changing and that I no longer attempt to keep up so would love to see a discussion today about whether clicking links in emails is any more hazardous than clicking the same links from within a browser. Forget about the convenience factor, just from a security standpoint, do browsers provide any additional security over what IERenderer provides with all of its security options enabled?

Without having done any qualified research on this I would tend to say they have at least a better chance to provide additional security simply because of the amount of skills and resources (both human and financial) they have at there hands. And they have a higher incent to keep track of recent developments in safety, privacy and security since they are under a lot more public scrutiny than Pegasus Mail ever was (maybe except for the legendary first days of email clients on the Internet).


On the other hand: Since Pegasus Mail has a very small user base it isn't an important target for attacks, but that's definitely a wrong kind of feeling safe, pretty much the same like security by obscurity which isn't safe either ... In the end it's all still up to the user, for a grotesque sample case you may take look here (headline: Problems with Multifactor Authentication): https://www.schneier.com/crypto-gram/archives/2021/1115.html#cg7.


Without having done any qualified research on this I would tend to say they have at least a better chance to provide additional security simply because of the amount of skills and resources (both human and financial) they have at there hands. And they have a higher incent to keep track of recent developments in safety, privacy and security since they are under a lot more public scrutiny than Pegasus Mail ever was (maybe except for the legendary _first days_ of email clients on the Internet). On the other hand: Since Pegasus Mail has a very small user base it isn't an important target for attacks, but that's definitely a wrong kind of feeling safe, pretty much the same like security by obscurity which isn't safe either ... In the end it's all still up to the user, for a grotesque sample case you may take look here (headline: Problems with Multifactor Authentication): https://www.schneier.com/crypto-gram/archives/2021/1115.html#cg7.
			Michael
--
IERenderer's Homepage
PGP Key ID (RSA 2048): 0xC45D831B
S/MIME Fingerprint: 94C6B471 0C623088 A5B27701 742B8666 3B7E657C
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Cancel
Delete
Pending draft ... Click to resume editing
Discard draft