top | item 40371466

(no title)

It’s wild to me that this has been the eventual consequence of file extensions.

MS decided that they were too advanced and hid them by default, thousands of companies tried to do automagic things instead of pushing for people to understand extentions, and inevitably the automagic stuff introduced exploits that were far worse than that education.

discuss

anyfoo|1 year ago

“Pushing for people to understand extensions” only does so much. So many file types are turing complete, and whatever runs them has access to a varying set of resources. That may be intentional, unintentional, by design, or through vulnerabilities.

What you need is proper sandboxing of the consuming applications, allowlisting of those applications (instead of “file types” with unspecified client applications), and ideally some type of trust system on top (but we all know how little acceptance stuff like PGP or even S/MIME has).

In other words: It should be safe for people to open any attachment they get. Think about web browsers: Heavy-hitting vulnerabilities aside, almost every web page you visit is safe for consumption by your computer, because of the browser’s security model. Same with iOS apps.

The remaining risk is addressed by provenance/trust.

ethbr1|1 year ago

There's always just prefacing with magic bytes. :)

https://en.m.wikipedia.org/wiki/List_of_file_signatures

adolph|1 year ago

> do automagic things instead of pushing for people to understand extentions

A file name extension is a convenience for human-computer communication but insufficient metadata about a file to process without inspection. Examples include BOM, Exif.

https://stackoverflow.com/questions/2223882/whats-the-differ...

https://www.sciencedirect.com/topics/computer-science/file-s...