Slashdot Mirror
Department of Defense Now Blocking HTML Email
oKAMi-InfoSec writes "The Department of Defense (DoD) has taken the step of blocking HTML-based email. They are also banning the use of Outlook Web Access email clients. The DoD is making this move because HTML messages can easily be infected with spyware and executable lines of code that enable hackers to access DoD networks, according to an article in Federal Computer Week by Bob Brewin . A spokesman for the Joint Task Force for Global Network Operations (JTF-GNO) claims that this is a response to an increased network threat condition. The network threat condition has risen from Information Condition 5 to Information Condition 4 (also called Infocon 4). InfoCon 5 is normal operating conditions and Infocon 4 comes as a result of 'continuing and sophisticated threats' against DoD Networks. The change to Infocon 4 came in mid-November, after the Naval War College suffered devastating attacks that required their entire system be taken offline, but the JTF-GNO spokesman claims there is no connection."
Reduced bandwidth, less entry vectors, less spam entering mailboxes. I guess the only losers are the people who send those annoying Flash giftcards through email.
~ C.
This I guess will just show my age, but I am soooo OK with this. Email should be just text, period. I personally believe that people should spend more time using complete sentences which includes punctuation and correct capitalization.
I guess I should get back to chiseling my notes on stone slabs now.....
At least then people will know why their email never got through. So many people use HTML email without being aware of it and don't realize that's what makes formatting possible.
Although the focus is on Outlook, it seems like there's an outside chance there may be other clients and web interfaces (namely all of them) that are vulnerable to most of the same problems....
however stripping HTML would be a better option as emails are usually sent as text/plain and text/html combined
blocking is just too drastic , perhaps IM would be a better option
But even without Javascript there are still web bugs, image file parsing exploits, and remember what engine is probably parsing the HTML on a Windows client. A "safe" email client is one that disables most of the features of HTML, and unless it's guaranteed to catch everything dangerous then it's safer to prevent HTML in the first place.
Up-to-date patches would mitigate those, but do you think somebody might be saving some zero-days for the DoD?
Put the pictures on a web page and send your friends a link to the web page. I can't stand getting pictures via email. If you must show me a photo of your new kid, put it on a website and send me the link. I still won't look at it, but I'll respond telling you how cute he/she is and we will both feel better. As for bulleted lists,
* what
* the
* hell
* is
* wrong
* with
* asterisks?
Thunderbird is a better solution here? I dont think so. People bad mouth outlook/exchange all the time, especially on /., however, in the case of most large enterprises (DoD especially), t-bird simply doesnt fit the bill. Outlook/Exchange offer so many more features and functions that most larger businesses and corporations use that t-bird doesnt even begin to fit into the same realm.
Do you honestly think the DoD is going to move from a platform which supports every feature they currently utilize (I know, I am in the US Army) to one which doesnt have support for basic things like calendaring, public folders, centralized rules administration, and various other features that simply arent available in this "better solution"? Thunderbird is not ready for the enterprise, nor will it be anytime soon without support for exchange/domino connectivity.
I am all for using open source, but when it doesnt fit the bill, I am not afraid to say that it wont do the job. Thunderbird is good for home use, but for corporate use (especially in a large entity like the DoD), its just sub-standard and lacking in the necessary areas. The fact of the matter is that you cant even access an exchange server with T-Bird.
Engineers do it with less resistance
No, not a word processor document, please attach it as as PDF!
If you know how to use HTML, you should know how to be able to write an email without using any HTML.
If you don't know how to use HTML, you shouldn't use it, period.
Once I was a four stone apology. Now I am two separate gorillas.
If the HTML is stripped from the body of the message, that means that the content of the message has changed from the context of the digital signature.
Therefore, the digital signature will no longer reflect the "data" portion of the message and will be invalid.
Because 10% is not spam?
How many people do you really think there are who (1) write HTML messages and (2) even know what digital signing is, much less use it?
I don't see the point of taking security risks and wasting bandwidth on email that "looks nicer." You want a nice looking email, format it as a webpage, and send your friend a link to the web page. Or print it out and stick it in the post box. My email program is instructed to display all email as text only and if it is full of crappy html that isn't filtered out, I hope it wasn't an important email because I deleted it. But I shouldn't have to bother; this junk should be filtered out at the server level and I'm glad the DoD at least recognizes that email security is more important than how nice it looks. I only wish my university would do the same :) Don't get me wrong, I love html, but it's not made for pretty-ing up email. It's made for hyper-text, which email should not be. Most email programs allow you to follow links that are part of an email message pretty easily, so what's wrong with sending the link to your browser?
Wow. Everytime I read a comment like the stupid trash you just posted it makes me want to scream DO YOU KNOW WHAT THE FUCK EMAIL IS? Why do Windows users feel it necessary to cram 50 different applications' functions into one super crappy, insecure piece of bloatware and then rave on about how superior it is? Me, personally, I'm using mutt in an enterprise environment because I'm just crazy enough to believe you should read email with, you know, a fucking email client.
Ubuntu: If at first you don't succeed, blindly slap a sudo in front of it
I read all my e-mail as "plain text". After all, HTML is plain-text too.
95% of the time that is all you need. Yeah, I can see they marked it italics or bold, but they are the same words.
If, after looking at the "raw" text, and I really think the formatting will convey some additional info, I might look at it as "html". Looking at the raw text gives you a pretty good idea if there is anything sinister about it.
In my experience, most HTML mail that "needs" HTML is junk mail, office jokes and the like.
Real business correspondence works on typed pages and plain text. No HTML needed to get your message across. Oh, but please do use a spell checker.
This issue is a bit more complicated than you think.
Outlook did me the favor the other day of removing the "extra" line breaks, screwing up the already limited formatting I was stuck with. People will get around this by attaching a Word or Excel document. So the bandwidth costs are only temporary, till they figure out how to get back the formatting capability they had. The search function will be severely limited, unless Outlook will search through attachments.
I think forcing plain text is a bit severe. I understand the vulnerabilities of HTML, but allowing a reduced subset of HTML function to provide for text formatting would be a better (as in more useful for the end user) option. If the IT folks are the only ones whose convenience is being considered, I guess plain text is fine, and for that matter we should still be using diskless VT terminals. I don't often use the "threw out the baby with the bathwater" cliche, but I think it fits here. Allowing tables and italics isn't going to kill us.