Slashdot Mirror

← Back to Stories (view on slashdot.org)

Department of Defense Now Blocking HTML Email

Posted by Zonk on from the nuke-them-from-orbit-only-way-to-be-sure dept.

oKAMi-InfoSec writes "The Department of Defense (DoD) has taken the step of blocking HTML-based email. They are also banning the use of Outlook Web Access email clients. The DoD is making this move because HTML messages can easily be infected with spyware and executable lines of code that enable hackers to access DoD networks, according to an article in Federal Computer Week by Bob Brewin . A spokesman for the Joint Task Force for Global Network Operations (JTF-GNO) claims that this is a response to an increased network threat condition. The network threat condition has risen from Information Condition 5 to Information Condition 4 (also called Infocon 4). InfoCon 5 is normal operating conditions and Infocon 4 comes as a result of 'continuing and sophisticated threats' against DoD Networks. The change to Infocon 4 came in mid-November, after the Naval War College suffered devastating attacks that required their entire system be taken offline, but the JTF-GNO spokesman claims there is no connection."

9 of 262 comments (clear)

  1. Good call by MostAwesomeDude · · Score: 4, Insightful

    Reduced bandwidth, less entry vectors, less spam entering mailboxes. I guess the only losers are the people who send those annoying Flash giftcards through email.

    --
    ~ C.
  2. As They Should by deKernel · · Score: 5, Insightful

    This I guess will just show my age, but I am soooo OK with this. Email should be just text, period. I personally believe that people should spend more time using complete sentences which includes punctuation and correct capitalization.

    I guess I should get back to chiseling my notes on stone slabs now.....

    1. Re:As They Should by xTantrum · · Score: 3, Insightful

      you know i use to read /. for the interesting perspectives of the fellow geeks on here, but i've given up. I now read it for the comedians. wish i had my mod points.

      --
      $action = empty(PHP) ? backToC() : unset(PHP) ; "when the concrete cases are understood, the abstractions are readily
  3. Re:Stupid by Beryllium+Sphere(tm) · · Score: 4, Insightful

    But even without Javascript there are still web bugs, image file parsing exploits, and remember what engine is probably parsing the HTML on a Windows client. A "safe" email client is one that disables most of the features of HTML, and unless it's guaranteed to catch everything dangerous then it's safer to prevent HTML in the first place.

    Up-to-date patches would mitigate those, but do you think somebody might be saving some zero-days for the DoD?

  4. Re:I like some HTML email by commodoresloat · · Score: 3, Insightful

    Put the pictures on a web page and send your friends a link to the web page. I can't stand getting pictures via email. If you must show me a photo of your new kid, put it on a website and send me the link. I still won't look at it, but I'll respond telling you how cute he/she is and we will both feel better. As for bulleted lists,

    * what
    * the
    * hell
    * is
    * wrong
    * with
    * asterisks?

  5. The HTML determines the rendering. by khasim · · Score: 3, Insightful

    If the HTML is stripped from the body of the message, that means that the content of the message has changed from the context of the digital signature.

    Therefore, the digital signature will no longer reflect the "data" portion of the message and will be invalid.

  6. Re:Doesn't that break digital signing? by emurphy42 · · Score: 3, Insightful

    How many people do you really think there are who (1) write HTML messages and (2) even know what digital signing is, much less use it?

  7. Re:I like some HTML email by commodoresloat · · Score: 3, Insightful

    I don't see the point of taking security risks and wasting bandwidth on email that "looks nicer." You want a nice looking email, format it as a webpage, and send your friend a link to the web page. Or print it out and stick it in the post box. My email program is instructed to display all email as text only and if it is full of crappy html that isn't filtered out, I hope it wasn't an important email because I deleted it. But I shouldn't have to bother; this junk should be filtered out at the server level and I'm glad the DoD at least recognizes that email security is more important than how nice it looks. I only wish my university would do the same :) Don't get me wrong, I love html, but it's not made for pretty-ing up email. It's made for hyper-text, which email should not be. Most email programs allow you to follow links that are part of an email message pretty easily, so what's wrong with sending the link to your browser?

  8. Re:Stupid by kernelpanicked · · Score: 3, Insightful

    Wow. Everytime I read a comment like the stupid trash you just posted it makes me want to scream DO YOU KNOW WHAT THE FUCK EMAIL IS? Why do Windows users feel it necessary to cram 50 different applications' functions into one super crappy, insecure piece of bloatware and then rave on about how superior it is? Me, personally, I'm using mutt in an enterprise environment because I'm just crazy enough to believe you should read email with, you know, a fucking email client.

    --
    Ubuntu: If at first you don't succeed, blindly slap a sudo in front of it