The Only Safe Email is Text-Only Email

Sergey Bratus, Research Associate Professor of Computer Science, Dartmouth College, and Anna Shubina, Post-doctoral Associate in Computer Science, Dartmouth College write: The real issue is that today's web-based email systems are electronic minefields filled with demands and enticements to click and engage in an increasingly responsive and interactive online experience. It's not just Gmail, Yahoo mail and similar services: Desktop-computer-based email programs like Outlook display messages in the same unsafe way. Simply put, safe email is plain-text email -- showing only the plain words of the message exactly as they arrived, without embedded links or images. Webmail is convenient for advertisers (and lets you write good-looking emails with images and nice fonts), but carries with it unnecessary -- and serious -- danger, because a webpage (or an email) can easily show one thing but do another. Returning email to its origins in plain text may seem radical, but it provides radically better security. Even the federal government's top cybersecurity experts have come to the startling, but important, conclusion that any person, organization or government serious about web security should return to plain-text email (PDF).

D'oh

When you try to sound sincere but link to a PDF!

Re:D'oh

Check out the
article.exe

Re:D'oh

[Z00L00K]

I can't open PDFs in Elm or Lynx.

Re:D'oh

[Darinbob]

Person Who Uses Plain Text and 13 Other Crazy People We Found. Click here to learn more...

Want to know why? Read the PDF!

"...should return to plain-text email (PDF)."

That's hilarious.

Re:Want to know why? Read the PDF!

I was going to say that I came here to say this (verbatim). But then I realized that I did.

Text-only Email safe?

What about spoofing and social engineering?

Re:Text-only Email safe?

[fustakrakich]

Heh... What about unicode ?

Re:Text-only Email safe?

[unixisc]

I was wondering that as well. What if someone wants to include emojis in the message, which are now pretty mainstream?

Re:Text-only Email safe?

[teaman2000]

Theoretically a text-only reader should include unicode, right?

Re:Text-only Email safe?

[fustakrakich]

I'm not sure if a text reader should even include extended ASCII. I mean, why take the chance?

Re:Text-only Email safe?

[mspohr]

Emojis are stupid

Re: Text-only Email safe?

Fuck everyone who doesn't use a Latin alphabet. Let's go back to the dark ages!

Re: Text-only Email safe?

[fustakrakich]

There's always the code page...

Re:Text-only Email safe?

[hord]

I have no problem rendering unicode on my terminals. Unicode doesn't have to do with text/binary. It has to do with font support. Either you need a console font that supports the code points you use or whatever set of X/gui fonts for your graphical terminals.

As an example of this, I just downloaded Homer's Iliad and Odyssey in the original greek encoded as UTF-8. I can edit the files in vim just fine and dumping them to my terminal works as well. You can pull one up here:

http://carbon.cc/~jhord/Homer/...

If that works you have plain-text unicode support in your browser.

Re:Text-only Email safe?

[nickersonm]

Then I just see gibberish unless they use proper emoticons instead of emojis.

Re:Text-only Email safe?

[skids]

I have no problem rendering unicode on my terminals. Unicode doesn't have to do with text/binary.

While it isn't the hugest challenge in security, unicode at the string level is not easy to get right. You have to do the right thing at the ends of strings when hanging combining codepoints are present. And just recently, suddenly a standard change allows certain combiners to appear before their target base character rather than after. Tons of combiners can be piled up on a character. There are plenty of icky corners where bad code could crash the stack on a poor implementation. There are 4 times as many whitespace characters, text that has different column directions, weird newline and hyphenation rules... just tons of detail-oriented work.

As an example, check out the Perl6 test suite sections that deal with unicode... not even including a bunch scattered around in other areas of the test suite.

(Really, email itself needs to just die... there just aren't any viable replacements... it's all corporate walled gardens or fractious gaggles of underfueled attempts at distributed social networking. Turtles all the way down.)

Re:Text-only Email safe?

[hey!]

Well, what about unicode?

The biggest unicode concern I know about is spoofing. With text messages I guess you'd have the risk that people will respond to an email address that isn't who they think it is, or copy and paste a URL that doesn't take them where they expect to go. This vulnerability isn't any worse with text rather than HTML mail.

Re:Text-only Email safe?

[Darinbob]

Homer clearly doesn't know how to communicate effectively, I see no emojis at all in that page! Homer also needs to learn about how to get advertising sponsors, as that page was eerily free of advertisements for Trojan products.

Re:Text-only Email safe?

Wanna see stupid? Here 'ya go: http://kimatv.com/live/portraits-of-citizens-of-yakima-will-be-on-display-in-downtown

Re:Text-only Email safe?

The problem with HTML emails is that even if you reduce it to a "safe subset" to eliminate the obvious vulnerabilities (excluding Javascript for starters, and refusing to show external content inline), image decoding is a complex operation prone to bugs in the libraries implementing it that can be exploited. Some unicode character range also require pretty complex processing, and the libraries implementing it could also be prone to bugs that can be exploited (eg CVE-2017-8528, CVE-2017-7867, CVE-2016-2052).

So while it should be pretty safe to allow Western, and even CJK characters through, some of the Indian and Arabic scripts could be problematic (but can you really tell 2 billion people they can't use their native language in email because their might be a problem that hasn't been publicly disclosed yet?)

Re:Text-only Email safe?

[stooo]

Text email also has a header.
This means there are vulnerable parsers in the server and client software.

Re:Text-only Email safe?

[unixisc]

They are invaluable in Twitter, due to the 140 character limit. Of course, one could credibly say that Twitter is stupid

And the only safe encoding

[RightwingNutjob]

is ASCII.

Also: go ahead, explain to me why it is that my computer needs to have a turd glyph stored on it.

Re:And the only safe encoding

UTF is great... for fooling content based spam filters.

Re:And the only safe encoding

is ASCII.

Also: go ahead, explain to me why it is that my computer needs to have a turd glyph stored on it.

Because Stargates can't connect without a point of origin.

Re:And the only safe encoding

Also: go ahead, explain to me why it is that my computer needs to have a turd glyph stored on it.

Because it's funny.

Re:And the only safe encoding

[unixisc]

Why not Unicode? Especially when all the major platforms support a variety of languages using Unicode conventions! Everyone's not Slashdot!

Re:And the only safe encoding

> Why not Unicode?

It sounds like the original article went over your head.

Allowing unicode brings in a layer making it difficult to tell what bytes are before you. With ascii, it is very obvious what the bytes are. With unicode, it is very much the opposite. Work with composing character and alternate forms for a while, if you never have, and you will rapidly realize that it is nothing like ascii in terms of visual reliability and safety.

Re:And the only safe encoding

[toejam13]

And the only safe encoding is ASCII.

Then you go back to the dark days of code pages, which was its own headache, especially with eastern languages.

It wouldn't be difficult to have a program highlight text that comes from another Unicode alphanumeric language block than your own. That way if someone tries to use similar looking characters, you'd have some notice. Also, it wouldn't be difficult to blacklist Unicode blocks, like the ones used for symbols. That would eliminate the emoticon issue.

Re:And the only safe encoding

Only goes to show the uselessness of "bad word" based content filters. Unicode or not - let them die. Every "bad word" on any "list" has legitimate uses as well as the more common "bad" use cases.

Re:And the only safe encoding

And there is no real safety problem with unicode in email. Sure, I can replace all the 'a's in this message with cyrillic 'a's. It reads the same but using a different character. And that does not matter when there are no URLs around because we're talking about text-only mail - not html.

Unicode text-only mail is harmless too. You need URLs/html to have a security problem. Ditch that, and you're fine.

Re:And the only safe encoding

Perfectly safe:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Anatomy of the EICAR Antivirus Test File--this is actually an interesting read.

Well...duh...

[evolutionary]

We all know that embedded codes for dynamic engines in your OS or even the program reading the messages is just an invitation for trouble.

Microsoft lead the with with VB.Script in Outlook. ("I luv you" too...), then as marketing people wanted to decorate with fancy email signatures we started embedding HTML/Javascript, leading to clever tracking on web servers and javascript routines. The worst part is the default for email clients and web client is all HTML/Javascript.

We need the default on all email stuff to be text only for our own protection as well as the general health of cyberspace.

Re:Well...duh...

We need the default on all email stuff to be text only for our own protection as well as the general health of cyberspace.

Just as importantly, we have to undo the BS of having browsers by default run any damned 3rd party script it comes along.

I don't care if you pull in code from someone else, and I don't care if you have ads, and I don't care if you have trackers who are telling you how good your marketing campaign is. Visiting a site doesn't mean I've consented to every 3rd party asshole that site uses to track me.

I use things like http switchboard, scriptsafe, and other things which allow me to block entire domains. My browsers are white-list only, meaning all of the ads, parasites, trackers, analytics .. they can all go fuck themselves because my browsers won't make requests to them, and sure as hell won't run their damned scripts.

The internet has been co-opted by ad and analytic companies who routinely demonstrate they are incapable of caring about our security or respecting our privacy.

The only way forward is to get past this idiotic notion that we should just allow any old site to set cookies, run scripts, run plugins (which themselves are often steaming piles of shit in terms of security), or even be told we visited a site. Cross-site scripting is dangerous, but every website builds itself in such a way as to require you run your browser in the most promiscuous and dangerous setting. And there's no way in hell an email client should be running javascript or loading a beacon from a company to let them know I've opened their email.

Until blocking 3rd party stuff is the default, the only way to have any confidence is to install your own blockers. The problem is most people don't know how to do that or can't be bothered -- or are on mobile where you have far less access to blockers because the whole platform is basically geared around ads and other bullshit.

Round up all of the marketing people fucking up the internet, kill them quite publicly, and start making the browsers secure by default.

As it stands now, too much of the technology is beholden to the ad companies, so you get Mozilla doing bullshit like easing off on blocking stuff, and Google refusing to let us do per-app permissions as we see fit.

Re:Well...duh...

[evolutionary]

Well said, if a bit extreme. If not for the "Stressed" suggestions for marketing, I'd give you points if I had them. You have valid points, but perhaps express them a little too vividly.

Re:Well...duh...

[angel'o'sphere]

The default setting on OS X and now macOS is:
ta tam!
Text only.

Thanx for trolling.

Re:Well...duh...

I'd agree with everything except the "kill" part (although I hope that one was figurative, I think there are images we should try not to use too often).

Re:Well...duh...

[RockDoctor]

Round up all of the marketing people fucking up the internet, kill them quite publicly,

Oh definitely no. Not death. Death is far too good for them. Serious, unrelenting, untreatable pain combined with utter social humiliation. For starters. While the psychopaths get to work on the long-term punishments.

Oh the irony

[Apotekaren]

So we should go back to Text-Only email for security reasons, and more information can be found in this totally safe PDF?

Re:Oh the irony

[thegarbz]

Yeah why use PDF? Maybe it's because pay layout is a powerful tool for presenting text and graphics in a way to provide additional clarity and meaning to a message. The idea of going to text only email is horrid and I cringe every time I see one.

Re:Oh the irony

[nine-times]

It seems to me that these things, in that we could really use a display format that can't actively do anything. For example, it should be possible to develop a safe subset of HTML that allows some basic formatting, but doesn't provide features that can create security holes. Similarly with PDF, we should be able to create a safe PDF format, and then set PDF viewers to only allow that form of PDF.

But no, that's not good enough. We need PDFs can can run Javascript and embed movies. For some reason.

Re:Oh the irony

Like markdown?

Re:Oh the irony

PDF == Proprietary Document Format

Re:Oh the irony

HTML is already a "safe subset" of itself; HTML is merely a markup language. You don't need to implement the DOM or Javascript, especially in an email client.

The problem is, as it has always been, that there are bugs in software that renders HTML.

There have been exploitable bugs in JPEG decoders, PNG decoders, TIFF decoders, GIF decoders, even BMP decoders, BMP being the most braindead simple of image formats: would you say that we need a "safe subset" of image formats?

There have been exploitable bugs text editors. Would you say that we need a "safe subset" of plain text?

It's possible to have bugs in any language, for software decoding any format.

Features don't make for security holes; bad implementations make for security holes, as demonstrated there are bugs in even the simplest, most featureless formats. What you need is better testing.

Sure, every feature multiplies the number of tests, but it's possible to write those tests, if you insist on it, and it's also possible to blow off testing entirely, even if what you've written is simple and featureless, and still have exploitable security holes.

Features, complexity, are not the root cause of security flaws, failing to bring a commensurate amount of testing and rigor is the root cause. Going back to the good old days of less featureful software is not going to fix a damn thing.

Oh the irony!

The government claims we should only use plain text email. And to tell us this, they use a PDF.

Mutt all the way, baby!

Oh yeah! Mutt all the way, baby!

Re:Mutt all the way, baby!

I've been reading email in plain text since 1993. I used Pine until 2007, and then I switched to Mutt. (I switched during the brief period after Pine was discontinued, and before Alpine 1.0 was released.)

Mutt is an excellent plain text email reader. And if I need to read an HTML email message, I can still pipe the message to lynx (a plain text browser without images or javascript).

Re:Mutt all the way, baby!

elm is better....

Re:Mutt all the way, baby!

[eneville]

This. Can't sing praise of mutt enough. No bugs, just fleas :)

I once worked in an environment where we could choose our own mailer, most of us chose mutt. It's hellish fast with header caching. Starts up in subseconds, unlike outlook which I'm now forced to use at a different job. Still, work forces get to drink more tea when waiting for outlook to do things. Sounds nice, but think of the burden the extra kettle cycles place on the power grid.

Re:Mutt all the way, baby!

Actually here at work we did have our own mail system. Then it was outsourced in June so most people now read their mail through a browser.
I was using mutt and this became impossible or at least very annoying with the new system (and slow).
Now I use fetchmail to get the messages from the server to my (work) laptop, and use mutt on the laptop: very fast (SSD).
I also regularly backup all my mail folders to a local server, just in case.

Comment Subject

[Falos]

It's on by default, not just for the "market" but for users too, because we need to be able to see emojis and an image macro of a "minion" who doesn't like Mondays.

LessthansymbolSarcasmclosetagGreaterthansymbol

Exceptions don't make the rule, rendering email should be a toggle for the cases you need it. If any. An "always on" opt-in would be fine, user-elected consequences. If you're scared of people asking where the emoji are, just have one of those "Media content detected, may not render in safety-mode, click here to change?" or whatever float above.

Disable embedded images?

[ilsaloving]

I've always configured all my email clients to not autodownload linked images unless I specifically want them. This blocks trackers and such, but if people start embedding javascript in email, then that doesn't help much.

Re:Disable embedded images?

[jbmartin6]

IN Outlook at least, javascript is disabled by default

RTF email

[OrangeTide]

The Rich Text Format from back in the 20th century does not support macros and there are no known exploits for it in the last 18 years. The only time people run into issues is when a Microsoft Word document (.doc or .docx) is renamed to .rtf and loaded erroneously. But with e-mail the MIME types and integrated viewer and editor would avoid that file extension hole. (that same hole would exist for .txt if MS Office were the default program for that extension, mostly that's just Office being terrible)

Theoretically a safe subset of HTML is possible, but nobody wants to maintain some subset parser with no standard. (standard might be as simple as HTML3.2 without JavaScript or IMG tags to external sites). Perhaps W3C or others should create an HTML profile for safe email.

Myself I'd rather have the sender render and encode a highresolution bitmap file which compresses bilevel images very well allowing for high resolution (like DjVu format). And tag the image with a plain-text section for screen readers, search and OCR to deal with. You get perfect typesetting and good illustration for your email, with far less complexity of dealing with HTML or RTF layout, font differences between systems, etc. (again my example sucks because nobody standardized it)

Re:RTF email

[Obfuscant]

The only time people run into issues is when a Microsoft Word document (.doc or .docx) is renamed to .rtf and loaded erroneously.

No, consider the wonderful "winmail.dat", which MS claims exists solely to protect RTF formatting for email. (It's actually what all poorly configured MS email clients send when they do attachments -- a tautology.)

And it's what poorly educated people send even after they've been told that their attachment is unreadable. It can't be THEIR fault, THEY can read it.

I've now officially given up on trying to get the information out of someone who sends winmail.dat attachments. I had one two days ago where I had to extract the attachment, copy it to a Linux system, install "tnef" (a package to deal with such crap), decode the winmail.dat, and then copy the resulting .doc file to another system where it could be read. And it turned out to be one page of text. A complete waste of time.

Myself I'd rather have the sender render and encode a highresolution bitmap file which compresses bilevel images very well allowing for high resolution (like DjVu format).

How about if you can't say it without red flashing italic large fonts you just don't bother saying it at all? Simple text conveys a lot of information simply. You don't need a .doc or .pdf to convey one page of text.

And tag the image with a plain-text section for screen readers, search and OCR to deal with.

Once you've devolved into drawing pictures instead of using words, it is very hard to convey in words what the picture does. A "plain text section" that says "a diagram of what I'm talking about" is pretty meaningless. I've had to deal with this kind of thing for years on a website that I run. It has tons of images, all generated automatically. The "alt text" links cannot be generated that way, so they are all "an image".

Short story: if you can encapsulate the content of your image in a "plain-text section", JUST SEND THE PLAIN TEXT. You don't need the image after all, now do you?

Re:RTF email

Theoretically a safe subset of HTML is possible, but nobody wants to maintain some subset parser with no standard.

Google is doing something like this for "Accelerated Mobile Pages".

Re:RTF email

[Kaenneth]

https://blogs.cisco.com/securi...

March 23, 2017

Re:RTF email

This is the only working solution i've found for winmail.dat :
http://www.eolsoft.com/freeware/winmail_opener/

Re:RTF email

There is already a rich text format for email dating back to 1992. It has nothing to do with Microsoft's format.

https://en.wikipedia.org/wiki/...

Re:RTF email

[OrangeTide]

How about if you can't say it without red flashing italic large fonts you just don't bother saying it at all? Simple text conveys a lot of information simply. You don't need a .doc or .pdf to convey one page of text.

I think it is reasonable that I want to underline or highlight parts of log files, or other technical information in order to provide context to the discussion. Tools like email should be expressive enough, rather than limiting everyone to the lowest common denominator.

Short story: if you can encapsulate the content of your image in a "plain-text section", JUST SEND THE PLAIN TEXT. You don't need the image after all, now do you?

Diagrams, drawings and photograph are pretty vital in many day to day communications. Want the gardener to trim back a certain hedge? Take a photo and draw a circle around the offending hedge. You perhaps grossly overestimate the language skills of average people. Perhaps if everyone using email were college educated this wouldn't be a problem, but we might have to go to some extreme like providing free college for a few generations for yours to be a reliable assumption.

Re:RTF email

[OrangeTide]

Microsoft RTF goes back to 1987. I agree that some open standard would be better, but unfortunately RFC 1896 was not widely adopted. My non-MS environement creates and reads RTF documents and emails just fine. And it was a common format in the NeXTstep/OpenStep days. But seriously, I'm not interested in spending too much time bike-shedding this.

Re:RTF email

[Obfuscant]

Short story: if you can encapsulate the content of your image in a "plain-text section", JUST SEND THE PLAIN TEXT. You don't need the image after all, now do you?

Diagrams, drawings and photograph are pretty vital in many day to day communications.

"If" was a critical word in what I wrote. I highlighted it in the quote. You do realize that you can still have plain text email and include images, don't you? They don't have to be inlined to be useful.

for yours to be a reliable assumption.

You're right, for clearly the definition of "if" escapes many people.

Re:RTF email

[OrangeTide]

The Rich Text Format from back in the 20th century

The version of RTF I linked does not support OLE, so your CVE is not effective. Nice try though.

Re:RTF email

[OrangeTide]

You do realize that you can still have plain text email and include images, don't you? They don't have to be inlined to be useful.

I don't find attachments as useful as information that is well presented in context. Perhaps your verbal skills are above average, or at least better than my own, and you find text to be sufficient for anything you might wish to communicate.

emacs vm

ftw.

Common Sense

It's well-known that advertisers use the images in their emails to track who does and doesn't read them.
For that reason, I always block images in my email client. 99% of the time the images are unimportant. If I want images I will visit your web site.

Email was never intended for viewing of web content, it should be for text-based correspondence only.

Re:Common Sense

[OrangeTide]

advertisers are doing me a favor by sending emails crammed full of tracking images. It is so easy to send these kinds of emails to the junk folder with a simple filter.

If I could filter my physical mail based on the color and texture of the paper I would cut out most of the junk mail. (and maybe toss out some of the semi-junk correspondence from businesses I use, hardly a flaw in this plan)

But really, I don't think it is a valid to argue on what Email was "intended" for when it's changed so much in the four decades. The users ultimately get to determine what Email is really for and how it should be used, and not the long retired designers. Unfortunately "users" includes spammers, who exert more influence on how Email is used than they deserve.

Article summary is misleading

There is a setting in Outlook called "Read all mail as plain text". A separate one for composing New messages as well. I'm no M$ fan but Outlook is pretty good, if you work at a large organization there is nothing better for email+calendaring.

Wake me up when Mozilla Thunderbird can schedule conference rooms and add GoToMeeting details automatically.

Re:Article summary is misleading

Finally someone who will slumber until the end of time!
captcha: INHIBITS

Re:Article summary is misleading

[evolutionary]

Problem is it's not default. And without that being default, it is a vulnerability as most people don't change their default as is well known and often exploited by MS to comply with laws while effectively circumventing them. MS Office is a classic example: You can set save file defaults, to something other than MSOOXML but it is VERY hard to find the setting.

Oh, and I use Thunderbird regularly and it works very well, and have set it up in a multitude of environments. To have Thunderbird automatically interface with 3rd party products, could well be exploited in a similar fashion as email clients, interacting with a 3rd party component that is not a part of the main product.As for using Mozilla Thunderbird to schedule shared resources there IS in fact a way. But it is not user friendly as that is not a priority of Mozilla:

https://support.mozilla.org/en...

Re:Article summary is misleading

[Kaenneth]

Even if you read as plain text, at some point, some code may parse the malicious code.

Not even RTF is safe https://blogs.cisco.com/securi...

Re:Article summary is misleading

I don't disagree. The reason it's not the default is because of my idiot millennial coworkers and everyone else. The ones who can't live without their fancy fonts and overly verbose signature. To the point I was actively ridiculed for sending and receiving email in plain text. Mozilla is a dumpster fire, we already knew that.

Signed,

Anonymous Coward
THINK before you print this Slashdot post. <insert unicode tree glyph here>

Re:Article summary is misleading

So what you're saying is, code is required to parse email, even in plain text.

Let me go hide under my bed, I think that's where I left my mechanical computer.

Re:Article summary is misleading

I work for a Fortune 3 (yes, three) company and they deliberately disable plain-text rendering and force HTML and Rich Text, They also force a number of other stupid insecure policies in Group Policy. When one complains to the security group, all the twelve-year-olds working there simply do not understand the problem.

Text Only

[Bigbutt]

Been reconfiguring my email and web clients to send text only and not to display or download images. Fun at corporate when I don't see folks idiot corporate icons and backgrounds. Heck, I seldom click on attachments from others in the company (certainly not from external sources) for a couple of hours at minimum. I already know my boss doesn't love me :)

A couple of years back, corporate came out with a standard signature block with html, images, and links. I kicked back with a request for a text only signature block due to various issues with how we manage servers plus provided a link to the Usenet RFC for signatures. They responded with an updated standard that included a text based block with dashdashspace (-- ) :)

[John]

Re:Text Only

You do miss things, though. Amazon has an interesting tweak that forces full-HTML. Thunderbird defaults to "Simple HTML" which apparently ignores some images. So when Amazon sends a "your package has shipped" email there's no sign of a "track this package" button (leading to opening a page in your browser, which in my case is Firefox with NoScript and a few other things to limit penetration by web page gadgets. If you change the view to full HTML, there's the button (and probably a gaggle of other trackers now awake and transmitting - isn't that what the email acknowledgement feature is for?). My practice now is to just note the email title, delete it, and go to the website separately. But it's annoying to get emails with a bunch of blank spaces where scripted buttons and the like obviously are - wastes space and makes it harder to read.

Nothing Will Change

Yes, this is nearly correct. The only safe and secure email is encrypted text. Unfortunately, knowing the right answer and getting the population of the entire world to make the change are two entirely different things.

Thanks, Microsoft. Thanks, Apple. Thanks, Yahoo. Thanks, Google. There was once a time when computers were the coolest thing. They offered promise and potential, the same way a blank easel appeals to an artist. But then you guys came along and ruined everything. It isn't just email.

Old-man-itis disguised as security advice

img=old-man-yells-at-cloud.png

Battle was lost years ago.

The battle between HTML e-mail and plain text e-mail was lost years ago, the HTML e-mail people won. I use plain text e-mail, but I'm not dumb enough to think I'm going to convince other people HTML e-mail is bad.

Pine/Alpine

[dostert]

Anyone having deja vu? I used to work on a dumb terminal hooked up to a large Sun serve. My email was text only Alpine. After years of fancy new computers and email systems, what are many IT directors going towards? A central VMware server, dumb terminals, and text based email.

Re:Pine/Alpine

[Obfuscant]

My email was text only Alpine.

Surprise! Alpine now renders HTML for you. Text-only Alpine is history. It may be limited to showing text because you're using it in an xterm, but it's showing the text from the HTML version.

Re:Pine/Alpine

[mspohr]

We should all go back to using Pine... the best email client ever!

Re:Pine/Alpine

[Mousit]

I started with PINE, moved to Alpine when that became the replacement, and to this day that is still the one and only e-mail client I use. It has come a long way since the earliest PINE days, but it's still overall just as familiar as it was. It's made some compromises over the years to maintain usability in the modern day (it renders HTML for example, but only the text out of it, not the rest, so no HTML attack vectors), but overall I still think it's one of the most secure e-mail clients out there.

Re:Pine/Alpine

[Mousit]

Surprise! Alpine now renders HTML for you. Text-only Alpine is history. It may be limited to showing text because you're using it in an xterm, but it's showing the text from the HTML version.

Not history at all. You said it yourself: it's showing you the text out of the HTML. And only the text, because Alpine is still text-only. It's a compromise for the modern world (where getting HTML-only e-mails is far too common, even from places you might REALLY NEED to read messages from) but without the attack vectors that come with it. It doesn't render images, it doesn't follow tracking pixels. It doesn't do JS or any of that other dangerous, unnecessary bullshit. Just text.

I can't speak for you of course, but that's a compromise I can live with, since my bank ain't going to send me text-only e-mails no matter how much I complain to them. I'd rather be able to read the text of their messages.

Re:Pine/Alpine

[Obfuscant]

Not history at all. You said it yourself: it's showing you the text out of the HTML.

Which means it is no longer plain-text email only. I can remember when pine was.

And only the text, because Alpine is still text-only.

I get an amazing amount of email that Alpine shows me active links in.

but without the attack vectors that come with it.

Active links are attack vectors. It's bread and butter for most phishing attacks. "Your account will be disabled unless you click here" is not "plain text only". That it only shows text does not mean it is not processing things other than plain-text email.

Re:Pine/Alpine

[Mousit]

Active links are attack vectors. It's bread and butter for most phishing attacks. "Your account will be disabled unless you click here" is not "plain text only". That it only shows text does not mean it is not processing things other than plain-text email.

Passive links; or at least what I'd consider "active" would be if the program were handling and opening them itself. Even old-school PINE had a "url-viewers" setup option though, and Alpine keeps this. It doesn't follow those links itself, it just sends them to an external program (and since it doesn't follow links internally, you're protected from auto-load nonsense). Plus it only sends them out if you want it to; you can turn that function off. It also asks you to confirm you want to open a link if you try to do so, and in that confirmation dialog it tells you the precise URL it's going to send to the external viewer program, no obfuscation--rendering one of the primary attack vectors moot.

I mean, sure, plain-plain-plain-text only isn't really a thing anymore even in Alpine, I'll grant you that, but it's still not something Alpine is opening internally. And if such an attack makes it past the confirmation to open it, on top of it telling you the exact and explicit URL it's going to pass to the viewing program, well.. Then yeah, I'll be honest: I do reach a point where I can only accept so much stupidity before I leave a user to their own failure. 100% idiot-proof doesn't exist, even in plain-text only (witness how many e-mails will keep text-only in mind and offer a URL you can copy & paste).

Re:Pine/Alpine

[Obfuscant]

Passive links; or at least what I'd consider "active" would be if the program were handling and opening them itself.

Any link that results in the question "do you want to open this link" when I hit C/R is active. Passive is if I have to copy/paste it into something else. Passive is if I have to determine it is a URL and do something with it. Alpine is the former. It does something other than sit there and look at me on the screen. It determines what the URLs are and will perform specific actions on them.

Re:Pine/Alpine

[chthon]

Mutt!

This is news??

[JohnFen]

We've known this for many years. It's why the first thing I do with any mailreader is disable HTML.

Re:Why no /. coverage of the Apple event?

[BronsCon]

Because they're editors, not reporters. They expect others to do the actual reporting and submission, so they can "edit" the status from "submitted" to "posted" or "rejected".

Memo from Central

1. Install mutt
2. Only open email in Mutt
3. When in doubt, go to step 1
4. Any questions, call our support desk.
5. If line is busy, email the support desk.
6. Print TPS reports.
7. Email your supervisor when you are done with step one.

Re:Memo from Central

[desdinova+216]

6a be sure to put the new cover sheets on the TPS reports

That's no even safe

[Trailer+Trash]

Email my mother a plain text email that says "Your Adobe Flash is out of date, copy this link into your browser to update it" and she's probably going to do it. The only safe computer for her is something like a commodore 64 without internet access.

Re:That's no even safe

[dddux]

Well, it is funny, but to tell the truth any computer without Internet access would be safe for her. ;) I love your C64 reference though! :)

RTF email/Scaling

The problem with what you propose is image scaling. What looks nice on your mobile phone looks tiny on my 8K monitor... which is 1/2 of what original HTML was designed for.

Re:RTF email/Scaling

[OrangeTide]

The images for DjVu are typically scanned at 300-1200 DPI. Which is higher than your 8K monitor. So your A4 sheet of paper is probably 50% bigger on your 8K display than it would be in real life, you might want to scale it down a little bit to read it if you are close to your screen. There is enough information that you can scale up the bitmap pretty comfortably as well. Of course on a phone it would be downscale pretty significantly.

The main limitation to a bitmap format or really any typeset format is text reflow. The closest equivalent would be PDF, you usually are stuck with however the author chose to form the PDF file. The font sizes, the layout (1 column? 2 column? landscape?). But we had this limitation for hundreds of years using physical correspondence and it wasn't too big of a deal until recently.

Plain-text is the lowest common denominator and I can see the point of the article. But it's not hard to imagine solutions to the problem that are both relatively simple and more expressive than ASCII/UTF-8. Obviously we should discard any sort of e-mail standard (de factor or official) that is inherently insecure.

Then why is it so unpopular?

[Voyager529]

The folks at Dartmouth may well be correct in that plaintext e-mail is safest. However, does that really make it the best solution anymore?

Look, I've got "that secretary" who uses borderline-illegible script fonts on stationery and ConstantContact blasts annoy me, as well. HTML mail does indeed have its downside and I don't disagree that it opens up at least some amount of security holes.

At the same time, plaintext e-mail has its faults, too. The color separation makes it clear when you've cleared the 'new message' in the thread, as does the stylized header. Inline image embedding is abused by marketers, but it makes it far easier to send tutorials or support requests via screenshot sequences. Yes, clickable links are a security risk, but that's how password reset e-mails work now. Do you really expect users to copy the complete URL into the address bar without an issue? If there's a line break in there, you're really screwed.

All of that hasn't even begun to address attachments, because technically it is possible for mail attachments to count as both a part of plaintext e-mails and not. Attachments are a mess, but we've stopped allowing people to e-mail executable files, for the most part. The attachment file types themselves, however, are a mess. Outlook cries wolf at *every* attachment, which makes it "the dialog box to ignore" - itself a UI problem of its own faults. The fact that the last few ransomware attacks I took care of were sourced from a malicious ActiveX payload on a Word document is only as stupid as the fact that there is still a whole lot of software that depends on ActiveX and Macros to function. If Microsoft is too easy a target, then Adobe has some splanin' to do when it comes to the fact that javascript can be embedded into a PDF. I've only seen it ever legitimately used for calculations and validations; is it really that hard to have a dedicated software function for that? The list of such issues is quite extensive, but I think my case on this point is made.

Ultimately, the fact that HTML mail is as ubiquitous as it is has to do with the fact that e-mail as it was originally designed (plaintext, 80x25) is no longer meeting the needs of most people who use it. However, its extensibility is amongst the reasons why e-mail is still as heavily used as it is, long after its contemporaries (IRC, Usenet, others) have faded into niche roles while e-mail is still mainstream.

Meanwhile, most free e-mail providers are pretty good at filtering malicious e-mails, spam filters for on-prem mail filters have reached a pretty good level of maturity, so there are plenty of safeguards in place that have brought the danger down significantly, to the point where e-mail is one piece of the vector rather than the vector itself, and has been for some time.

I pose this question to the Slashdotters who agree with the Dartmouth researchers: Whenever sweeping legislation or military action comes up around here, a post based on Ben Franklin's thoughts regarding trading liberty for security are almost invariably stated, and frequently modded up to a +4 or +5. Now that the "liberty for security" question is on the other foot, when we're discussing trading liberty (more useful e-mail) for security, why does the mindset seem to be flipped? I'm not saying free-for-all e-mail with no spam filters or blacklists are ideal, but I am saying that for all of the ways that e-mail gets abused, it's gotten to the point where it is all but guaranteed to prompt the user before causing trouble, if it gets through the IP blacklists, keyword blacklists, attachment filters, virus scanners, default mail client settings, attachment warnings, application warnings, and UAC prompts...I doubt plaintext would have solved the issue in itself. To champion a function regression in the name of 'security' sounds like the kind of mindset which, according to Franklin, deserves neither liberty nor security.

Re:Then why is it so unpopular?

[Obfuscant]

At the same time, plaintext e-mail has its faults, too. The color separation makes it clear when you've cleared the 'new message' in the thread, as does the stylized header.

You have no clue what you're saying here. The "new message" flag is a function of the gui or text client, not the email itself. Alpine shows an "N" next to new messages, and that's pretty clear. Evolution uses bold to show new messages, in the message list.

Inline image embedding is abused by marketers, but it makes it far easier to send tutorials or support requests via screenshot sequences.

Images do not have to be inline to be useful.

Yes, clickable links are a security risk, but that's how password reset e-mails work now.

"Because some idiots who don't know good programming and security practices do it this way, it must be good."

News flash: there are mail systems that actually connect to anything in a message that looks like a URL as a way of testing for malmail. I sent someone an email with a link to a website I run and almost instantly I saw "them" access that link in the logs. Not them, the mail server that was scanning their incoming email. Any "one time reset" link sent to that user is not going to work, ever, because the server will have exhausted the "one time" access.

Do you really expect users to copy the complete URL into the address bar without an issue? If there's a line break in there, you're really screwed.

Yes, and of course not. I do it all the time. "Line breaks" in the URL are not a problem. Firefox handles them just fine.

All of that hasn't even begun to address attachments, because technically it is possible for mail attachments to count as both a part of plaintext e-mails and not.

If you don't know what you are talking about, please don't comment on technical things. Attachments are attachments. They are not part of the plain-text body.

The attachment file types themselves, however, are a mess. Outlook cries wolf at *every* attachment,

Say no more, I now understand why you think the way you do. Outlook is a piece of shit created by Microsoft that goes out of its way to avoid the existing standards for email, and is the source of the abomination known as "winmail.dat". If you think Outlook is some baseline to which good email practices should be compared, then you are ... well, enough said. The rest of your rant is thus made moot.

Re:Then why is it so unpopular?

Is it really "unpopular" to limit content flexibility. Has that crippled Twitter or Slack, for example, which do not allow users to dump whatever garbage they want? Did measures against XSS hobbled web 2.0?

You also fail to note that beyond the security problems introduced by "rich" emails, they are annoying and waste of resources used to create them, transmit them, store them, display them, parse them, read them.

They are just another front in the effort to turn computers into televisions -- passive consumption devices that exist to allow remote entities to manipulate people's spending habits.

If you can't express something effectively in plain text, you suck at communication and/or are trying to do something "clever" that I want no part of. Get the picture?

Re:Then why is it so unpopular?

[Voyager529]

1. I was not referring to whether a new e-mail was bold or not, but how text is shown within an e-mail. The format changes when reading an e-mail body consisting of a multi-message thread is, in fact, a function of the e-mail formatting.

2. No, images don't *have* to be inline. However, there's a reason why many tutorials use that format - the format itself is useful.

3. So the way *your* mail scanner functions is the baseline for how things should work? What's your suggestion for a password reset methodology that isn't a greater security risk?

4. Firefox handles them wonderfully. The Google search bar / MSN search bar / WhateverBrowserHijacker search bar is a different story, and the number of people who think that's an address bar vastly outnumber Firefox users.

5. I very much do know what I'm talking about. The point I was getting at, if you're going to be pedantic about it, is that "plain text e-mail" can mean "if it's not text, it's not e-mail", akin to how PINE mail and other terminal-based mail clients functioned. It can also refer simply to the text formatting, inclusive of MIME attachments and indicating a lack of HTML/RTF formatting. I was speaking of the latter, but wished to acknowledge the existence of the former.

6. Outlook is far from an exemplary piece of software, but I'm hard pressed to point to a locally-installed mail client with a greater marketshare. Now, we can certainly argue that Microsoft's way of extending it is far from ideal, but it's not like Gmail is any less guilty of adhering to standards and both AOL and Yahoo had their EEE days when they had the lion's share of e-mail users, so it's not like extending e-mail beyond the specs is an evil reserved only for Microsoft. Whether good practice or not, Outlook is very much a part of corporate environments and is used by millions of people every day. Thunderbird and Evolution may well be 'standards compliant', but my entire point is that the original e-mail standards are insufficient for most modern uses. I can't say I "like" Outlook, but treating it like it's irrelevant is of no assistance, either.

Re:Then why is it so unpopular?

[Voyager529]

1. The popularity of Twitter and Slack is based primarily on their ability to handle synchronous communication, in which e-mail lacks. Moreover, while it's not possible to change the font on Twitter (dunno about Slack), Twitter does allow for links, images, and embedded videos, functions plaintext e-mail does not provide. Would Twitter still be popular without these abilities? That's a good question indeed, but neither Twitter nor Slack are long-form means of communication.

2. Yes, they're annoying and a waste of resources. Unfortunately, you could say that regarding just about anything...including our Slashdot discussion, since all of those points apply to those who would read our dialogue and not see any value within it.

3. The computer-to-TV transformation has been going on for some time, but I would argue that at least with PCs, the end user still has root access, at least for now. Mobile computing devices are a far greater threat in that respect.

4. I was sufficiently successful in expressing myself in plaintext that it warranted a response. As someone who still camps out in IRC and Usenet, I agree with you. However, in a culture where memes and reaction gifs are means of expressing one's self, to readily ignore the existence of these things is not to stem the tide, but to ensure that proposed changes are less palatable.

Re:Then why is it so unpopular?

[Obfuscant]

1. I was not referring to whether a new e-mail was bold or not, but how text is shown within an e-mail.

No, you were pretty specific as to "clearing" the new mail in the thread, and this has nothing to do with what the email itself looks like. If you have an email client that changes the email itself to show status, then you have a very very poor email client. But we already know that.

3. So the way *your* mail scanner functions is the baseline for how things should work?

I said nothing about how my "mail scanner" works. I told you of how at least one of them DOES work, and why that makes one-time reset links useless. There goes your excuse for non-plain-text email based on "password reset links", if they weren't already made meaningless by the ability to copy and paste the plain text URL representation.

4. Firefox handles them wonderfully.

Which is proof that there is no inherent problem with line breaks in a copy/paste URL. Sheesh, if you knew anything, you ought to at least realize that "\n" is not a valid character in a URL and EVERY web client should be able to ignore them.

The Google search bar / MSN search bar / WhateverBrowserHijacker search bar is a different story,

You don't paste a URL into a SEARCH BAR, you nimrod. It's a URL.

and the number of people who think that's an address bar vastly outnumber Firefox users.

Nimrods don't know how to use their browsers, film at 11.

5. I very much do know what I'm talking about.

Not when you try to debate if "attachments" are "plain text email" or not. Not when you bring up Outlook as the benchmark.

The point I was getting at, if you're going to be pedantic about it, is that "plain text e-mail" can mean "if it's not text, it's not e-mail",

Oh for Christ's sake, stop being stupid. "Plain text email" means it is plain text. If it isn't plain text it isn't plain text email, not 'it isn't email'.

6. Outlook is far from an exemplary piece of software, but I'm hard pressed to point to a locally-installed mail client with a greater marketshare.

Marketshare is not how one defines a good email client.

Now, we can certainly argue that Microsoft's way of extending it is far from ideal,

If you think there is any argument about that, then you truly are hopeless. Go back to Outlook and leave the discussion of email systems to the adults, ok?

but my entire point is that the original e-mail standards are insufficient for most modern uses.

Bullshit. Every "use case" you've made has been shown to be trivially done with plain text email using existing standards. Your biggest arguments are "Outlook yada yada" and "nimrods paste URLs in the wrong place", neither of which justify anything.

I can't say I "like" Outlook, but treating it like it's irrelevant is of no assistance, either.

Nobody it treating it like it is irrelevant, but by trying to use it as a baseline for good practice is simply ridiculous. As soon as you use "but Outlook does it this way" as an argument about how email should work, you've both lost that argument AND shown that you are a clueless Microsoft wanker.

Re:Then why is it so unpopular?

[Altrag]

you are a clueless Microsoft wanker.

And you're just clueless if you think everybody is, or even should be, technically proficient enough to know a "search bar" from a "URL bar," especially when every single one of the major browsers have intentionally merged the two over the past few years.

Really, the whole thread including the article is relatively pointless. This is one of those "security vs convenience" discussions, and one that isn't even remotely new, and one that the world has firmly fallen on the convenience side of.

There is zero probability that even a barely noticeable fraction of email users will suddenly decide to drop back to 1992 era email so there's little point even discussing it -- it would be far more useful to accept reality and put the efforts toward improving security in modern mail clients (and browsers and whatever else.)

Its like saying we should solve the problem of cars pumping out too much CO2 by going back to horses. Even if it wasn't a stupid idea right from surface level, nobody is going to do it because horses are slow and messy -- instead, we invent better technology to work around the problem while still retaining most if not all of the convenience we're used to.

Re:Then why is it so unpopular?

[Obfuscant]

And you're just clueless if you think everybody is, or even should be, technically proficient enough to know a "search bar" from a "URL bar,"

Show me where I said they needed to be. I said that it isn't an excuse to require crap in email more than plain text. The fact you paste a URL into a search bar instead of the address bar is your ignorance and not justification for new standards that you won't be any better capable of understanding.

There is zero probability that even a barely noticeable fraction of email users will suddenly decide to drop back to 1992 era email so there's little point even discussing it --

And yet here you are. Or is your participation just so you can jump down my throat for something I didn't say?

Re:Then why is it so unpopular?

If you don't know what you are talking about, please don't comment on technical things. Attachments are attachments. They are not part of the plain-text body.

It's been ages, but the last time I tried putting a UUEncoded image in the middle of an e-mail my client displayed it inline. I wonder if clients still support UUEncoding at all these days.

Re:Then why is it so unpopular?

[chispito]

Now that the "liberty for security" question is on the other foot, when we're discussing trading liberty (more useful e-mail) for security, why does the mindset seem to be flipped?

MS Office macros can also be quite useful. Do you enable those?

Re:Then why is it so unpopular?

[Voyager529]

1. I was not referring to whether a new e-mail was bold or not, but how text is shown within an e-mail.

No, you were pretty specific as to "clearing" the new mail in the thread, and this has nothing to do with what the email itself looks like. If you have an email client that changes the email itself to show status, then you have a very very poor email client. But we already know that.

My exact quote:
"The color separation makes it clear when you've cleared the 'new message' in the thread, as does the stylized header"

For the third time, I'm referring to the fact that replies generally start with a different text style than the rest of the thread when reading an e-mail in a window which shows a message, along with its replies, in reverse chronological order. Perhaps it wasn't perfectly worded, but that it what I was referring to, from the beginning. Whether it's better or worse than the countless ">" symbols that are used in text-only messages is subjective, but the color change in the message body is no less an effective way of performing the same task.

3. So the way *your* mail scanner functions is the baseline for how things should work?

I said nothing about how my "mail scanner" works. I told you of how at least one of them DOES work, and why that makes one-time reset links useless. There goes your excuse for non-plain-text email based on "password reset links", if they weren't already made meaningless by the ability to copy and paste the plain text URL representation.

Okay, so apparently there are issues with single use links when they go through whatever spam filter you're referencing but not using. That must be why most of such e-mails I've received have a 24-hour expiration, or there is some magical pixie dust in MS Forefront, Google Postini, Barracuda, SpamAssassin, Scrollout, and Symantec SMG that make them work just fine. Either this nameless, unused filter is the standard by which such messages must comply, or the fact that this method has been implemented by basically every forum and online service I've ever used makes the issue on the side of the filter for all practical purposes.

4. Firefox handles them wonderfully.

Which is proof that there is no inherent problem with line breaks in a copy/paste URL. Sheesh, if you knew anything, you ought to at least realize that "\n" is not a valid character in a URL and EVERY web client should be able to ignore them.

Of course! But kindly tell that to the tens of millions of non-Firefox users when "clicking a link" works just fine now.

The Google search bar / MSN search bar / WhateverBrowserHijacker search bar is a different story,

You don't paste a URL into a SEARCH BAR, you nimrod. It's a URL.

Excuse you. I'm poignantly aware of the difference between the two. I also happen to provide desktop support to other people, and I'm very good at it because I observe how *they* interact with computers. Step outside your ivory tower and see that 90% of computer users don't know the difference anymore. It's a sad reality that pains me as much as it pains you, but the fact of the matter is that those people have passwords too, those people need them reset, and if you have the rude, condescending attitude with them that you do with someone who at least somewhat agrees with you, then it's unsurprising that your view on the topic is comprised solely of your own.

and the number of people who think that's an address bar vastly outnumber Firefox users.

Nimrods don't know how to use their browsers, film at 11.

I appreciate the assist from Altrag below. As much as I very much wish that everybody had an understanding of UI conventions, the fact is, once again, that nimrods use computers, and nimrods have browsers an

Re:Then why is it so unpopular?

Yes, clickable links are a security risk, but that's how password reset e-mails work now. Do you really expect users to copy the complete URL into the address bar without an issue? If there's a line break in there, you're really screwed.

Sure, pasting URLs is easy. If you create URLs long enough to need line breaking, you're doing it wrong. Long URLs are simply not neessary. Still, even a URL broken over several lines is usually not a problem: it isn't really broken up - unless your email client is horrible. The wrapping is just for displaying.

Not that this matters. The real fix is to have a machine that is not vulnerable - one that simply survives as the user click on a link to anything. I may not want to click because I don't want to be tracked, or I don't want to wait for a slow site or read the details of some Nigeria scam. But I do not worry about the computer. I have yet to see a link that can stump linux. Of course, neither my mail sw nor my web browser will ever execute anything I click on.

Outlook cries wolf at *every* attachment, which makes it "the dialog box to ignore" - itself a UI problem of its own faults.

Indeed - crying wolf is a bad thing to do. Opening notification dialog boxes is bad UI in general.

 

Ultimately, the fact that HTML mail is as ubiquitous as it is has to do with the fact that e-mail as it was originally designed (plaintext, 80x25) is no longer meeting the needs of most people who use it.

Well, wrong. Plain text email was never about 80x25. Write your text mail in a single long line if you wish. A mail reader in an 80x25 terminal will wrap it to 80 columns. A reader in a 200x50 terminal window will wrap it to 200 columns. And a GUI mail reader will wrap to however many variable-width glyphs fit into the current window width. HTML is not needed for such functionality.

Now that the "liberty for security" question is on the other foot, when we're discussing trading liberty (more useful e-mail) for security, why does the mindset seem to be flipped?

Because html email isn't seen as "more useful", quite the opposite.

Not that is a security problem - only windows is vulnerable. Html mail is annoying, like having Bieber playing in the background. That's all.

Re:Then why is it so unpopular?

However, in a culture where memes and reaction gifs are means of expressing one's self, to readily ignore the existence of these things is not to stem the tide, but to ensure that proposed changes are less palatable.

Never mistake a fad for a culture.

Re:Then why is it so unpopular?

[Obfuscant]

My exact quote: "The color separation makes it clear when you've cleared the 'new message' in the thread, as does the stylized header"

Yes. That's a function of the mail client and not the email itself.

For the third time, I'm referring to the fact that replies generally start with a different text style than the rest of the thread when reading an e-mail in a window which shows a message,

Perhaps in pieces of crap like Outlook that don't care about email standards, but they don't look any different in any real email client. Any email client that changes the body of the email based on read or unread status is broken, period.

Of course! But kindly tell that to the tens of millions of non-Firefox users when "clicking a link" works just fine now.

I don't have to tell them anything. This is a fact. Your excuse that we need enhanced email so that cutting and pasting a URL will work is wrong. We don't need that.

So, what's your preferred term for "e-mail with a binary attachment but which lacks formatting or markup"?

I don't know what semantic game you are trying to play here. Your claim that "non-plain-text email" means "isn't email" is patent bullshit.

Because in your haste to tell me to stop being stupid, you managed to prove my point. There is ambiguity in the term.

You seem to be the only person I've ever heard think that "non-plain-text email" means "not email". Most of the people with a brain understand that "non-plain-text email" means it is email that isn't plain text. There is no ambiguity.

Great! You should have no problem getting the millions of Outlook users to migrate over to your superior e-mail client..

Game over. Knowing that Outlook is a defective email client doesn't imply any need to convert nimrods who like defective email clients.

And yet, you've provided solutions to neither.

Of course I have. Don't paste a URL into a search box, for one. Simple. Do it once and you'll learn. I don't remember what your other example of necessity for HTML email was, but the simple alternative is to not use HTML email. Simple.

There are plenty of adults making more money than you who use Outlook every day at their desk.

And here we are at ad hominem, with a healthy dose of "forty million Frenchmen can't be wrong" logic.

I just know that if "quality of software", "adherence to standards" or even "effectiveness of support" were reasons why software is popular,

This isn't an argument about what software is popular, it is about the need for anything more than plain text. Every example you've presented as why you need more than plain text is trivially handled by using plain text. That's why you lose the argument -- you're reliance on popularity to define "right".

Telling them that plaintext e-mail is going to be unilaterally implemented in the name of security

And I've said that kind of thing exactly when? Argue about this with someone else. You lose this one.

Re:Then why is it so unpopular?

[Altrag]

Show me where I said they needed to be.

You don't paste a URL into a SEARCH BAR, you nimrod. It's a URL.

You don't explicitly say it, but your phrasing certainly implies that you expect "nimrods" to know that.

And yet here you are.

I've never claimed to be above discussing pointless things. That said, I was referring more to the larger community "discussing" it in the sense of going to the trouble of writing and publishing academic papers and whatnot more than the sense of random posters on random forums ranting at each other for a few hours before the topic gets pushed to page 2..

Re:Then why is it so unpopular?

The Dartmouth solution sounds nice, but, in addition to being limited, text-based rendering is no guarantee of security (that actually gets a little complex). Better start by making sure your e-mail client uses Raster-based Fonts exclusively... And forget about Internationalization...

Isolate the e-mail to a single dedicated physical server. If any e-mails manages to pass the filter, feed them into a e-mail client which completely sandboxes the e-mail along with any supporting software needed to process and render it. The sandbox should be an interpreted-mode execution environment with interpreted programs to handle any objects which are deemed necessary for e-mail (which may incidentally, allow the use of scripts embedded in the e-mail, provided the e-mail packages all required resources properly), in which any session is indistinguishable by any means from any other session (or any host machine or user, or whatever), with absurdly simple interfaces (framebuffer, keystrokes, file IO), and with clearly represented boundaries on-screen so that it is visually encapsulated, and with a clear UI positioned somewhere outside of the capsule for extracting files from the e-mail if File extraction is needed.

Re:Then why is it so unpopular?

[amanaplanacanalpanam]

If you think Outlook is some baseline to which good email practices should be compared, then you are ... well, enough said. The rest of your rant is thus made moot.

Aw that's too bad. I was looking forward to reading your retort to gp's final point - the one invoking Ben Franklin.

Re:Then why is it so unpopular?

1. I was not referring to whether a new e-mail was bold or not, but how text is shown within an e-mail.

No, you were pretty specific as to "clearing" the new mail in the thread, and this has nothing to do with what the email itself looks like. If you have an email client that changes the email itself to show status, then you have a very very poor email client. But we already know that.

If you assume top-posted e-mails (let those idiots burn in hell), and that he's referring to the HTML colouring quoted posts differently, he makes perfect sense. Because the e-mail client can indeed do 'fuck-all' to parse whole threads embedded in a single message full of top-posting.

Of course, if you assume plain-text e-mails properly quoted with the > character, then it is indeed the e-mail client's responsibility to colour the quoted text differently.

Sorry, you're kind of coming off as an idiot here.

Re:Then why is it so unpopular?

[Voyager529]

Ehh, I'm up for one more go-around...

My exact quote:
"The color separation makes it clear when you've cleared the 'new message' in the thread, as does the stylized header"

Yes. That's a function of the mail client and not the email itself.

At some level, whether by markup styling or the use of the ">" character, the e-mail body is where the information regarding what's new vs. what isn't is designated.

For the third time, I'm referring to the fact that replies generally start with a different text style than the rest of the thread when reading an e-mail in a window which shows a message,

Perhaps in pieces of crap like Outlook that don't care about email standards, but they don't look any different in any real email client. Any email client that changes the body of the email based on read or unread status is broken, period.

You've yet to name what you consider a "real e-mail client", and you're still missing my point. The body doesn't change its formatting based on whether a message is 'read' or 'unread', but rather an e-mail containing the text of several prior messages over the course of an e-mail exchange is shown with different formatting. So, changing the color of the text in an e-mail is "broken" because it alters the data contained within the message, but adding ">" characters with each iteration as plaintext messages do (i.e. changing the message data) is fine?

Of course! But kindly tell that to the tens of millions of non-Firefox users when "clicking a link" works just fine now.

I don't have to tell them anything. This is a fact. Your excuse that we need enhanced email so that cutting and pasting a URL will work is wrong. We don't need that.

You're right. Actual HTML links don't require cutting/pasting. They just open. Your solution to the inconsistency of links with line breaks is either URL shortening (which has never been abused *eyeroll*) or have all the browsers work like firefox.

So, what's your preferred term for "e-mail with a binary attachment but which lacks formatting or markup"?

I don't know what semantic game you are trying to play here. Your claim that "non-plain-text email" means "isn't email" is patent bullshit.

Okay, I'll try phrasing it a different way. There are three possibilities at play here:
1. E-mails with HTML/CSS markup and other nonstandard stuff.
2. E-mails with ASCII messages and binary attachments.
3. E-mails with ASCII messages only.

We both agree that #1 is not 'plaintext e-mail' and that #3 is, but #2 is where the lack of clarity is.

Because in your haste to tell me to stop being stupid, you managed to prove my point. There is ambiguity in the term.

You seem to be the only person I've ever heard think that "non-plain-text email" means "not email". Most of the people with a brain understand that "non-plain-text email" means it is email that isn't plain text. There is no ambiguity.

See above.

Great! You should have no problem getting the millions of Outlook users to migrate over to your superior e-mail client..

Game over. Knowing that Outlook is a defective email client doesn't imply any need to convert nimrods who like defective email clients.

At this point, I'm sensing the vibe you're being angry just for the sake of being angry. First, you still haven't named a mail client you believe is better. Second, if Outlook is a defective mail client, then it would need to be replaced if going back to plaintext communications is going to be a matter of course. I'm asking how you would address the fact that a "defective e-mail client" is amongst the most commonly used, and it sounds like your way to address it is "l

Re:Then why is it so unpopular?

Because of the same sort of things that caused the Eternal September - The vast majority of people on-line are normal general public-type people, the sort easily dazzled by shiny things and colours with little to no technical know-how.

Whoever first devised HTML e-mail is the one to blame for all of this really as all of us 'oldsters' had been pointing out its inherent risks literally since day 1, but nothing was done and now we're stuck with yet another ill-conceived 'standard' that we can't get rid of because it's beyond critical mass.

Thunderbird, viewing in Plain Text ...

[fahrbot-bot]

I use Thunderbird and POP3, view my messages in Plain Text, have Javascript and all plugins disabled -- for those cases where I have to view the message body as HTML because (for some reason) nothing (or not everything) displays in Plain Text mode (which annoys me to no end, anyone have a workaround?).

I'm confident that I'm not missing out on anything by viewing in Plain Text, 'cause it's freaking email, not art.

Re:Thunderbird, viewing in Plain Text ...

[bagofbeans]

In Thunderbird, add HTML Mode to the toolbar which toggles between text only, simple html, and the full bollocks.

Re:Thunderbird, viewing in Plain Text ...

[fahrbot-bot]

Thanks!

That is why I use mutt

[gweihir]

Sure, I had to make one concession to the ASCII-challenged, I now filter HTML through lynx as more and more people do not even understand a request for "non-HTML" email these days, but that is it. With very rare exceptions this is entirely enough for email.

Re:That is why I use mutt

[redelm]

I resemble that remark! I also use mutt as my primary email client. In addition to security and quick access to full headers, it is just plain faster, especially with 200+ daily. Best with nice big portrait terminals (140x140).

A few items need rendering (I prefer elinks2 over lynx 'cuz tables) and a very few get copied into a safe file for seamonkey image rendering.

Re:That is why I use mutt

[El_Muerte_TDS]

I do the same. However, the worst part is the multipart emails which contain a text/plain version with content:

> your email client does not understand HTML emails, bla bla bla

As if HTML to readable text/plain is so difficult.

Re:That is why I use mutt

[PPH]

elm here.

Re:That is why I use mutt

[gweihir]

I have very few tables in email, but if that changes, I will try elinks2. Thanks for the tip!

Re:That is why I use mutt

[gweihir]

As if HTML to readable text/plain is so difficult.

Indeed. Might be an attempt to force people on HTML, otherwise it makes zero sense.

Re:That is why I use mutt

[gweihir]

I used to be on elm (wayyy back), but I found mutt works better for me. It is a matter of taste though.

You can do safe email that is more than plain text

[davidwr]

An email format which is well-defined, simple enough for most experts to understand completely, and which has no homoglyphs or other situations that can fool the eye, can be safe.

Well-defined means the is no undefined behavior in the specification. Well-defined also pretty much guarantees that the email cannot result in "open ended" behavior beyond the bare necessities, such as saving a file or printing it, or possibly launching a sandboxed application that is in a separate sandbox from the web browser.

Simple enough for most experts to understand means it's less likely that an email client will have bugs exploitable by a poisoned email.

Not having situations that can fool the eye rules out using colors that are visually similar, fonts that are visually similar, and fonts with very similar characters, and the like. However, it does not prohibit using simple markup languages which have features such as "bold" as long as those behaviors are well-defined in the specification. It does not restrict you to "ASCII" or "UTF-8" or to specific fonts, but it would prohibit fonts or combinations of fonts that show characters similarly. For example, in ASCII, some fonts display 0 and O as nearly identical, or l and 1 as nearly identical. Those fonts should be prohibited in any "safe" email specification, as they make social engineering much easier: "Hey Joe, copy and paste into your web browser to go to 'http://www.notevi1site.example.com' where the font makes it look like 'http://www.notevilsite.example.com'" might fool someone into thinking it was not evil when it is.

A safe email specification can even provide for "safe" pictures. It can allow pictures in certain formats provided the picture format is itself a "safe" format and client clearly indicates to the user they are pictures rather than text.

Out of necessity, any practical email standard should provide for "somewhat safe" method of handling file attachments. One way is to require the client only save the files in a "containerized" file format (e.g. mime/.eml, uuencode, zip, etc.), ready to be scrubbed by security software, which will be responsible for declaring it "safe" before saving the file in its final form. This is a compromise of course, as no security software is perfect and "one size does not fit all" for security. Malware researchers may NEED to exchange samples of live malware, but everyone else should have such files flagged and deleted before they can gain a foothold.

Re:Why no /. coverage of the Apple event?

[mspohr]

Only fanbois care about this

I miss Usenet

[k6mfw]

though text base, I never was concerned about viruses. Problem I experienced was using my actual email address instead of creating "knownothing@nospam.com" then wonder why am I getting so much spam. But then the jpg images were just that, images. No hidden code within. Had lots of fun reading interesting stuff, ridiculous comments, etc. Maybe even if usenet is still popular, the computer is still vunerable by simply being online.

That must have been one deep bellybutton....

and one massive wad you pulled out. No shit? That's been known for decades. Only idiots think text only is novel.

Global warming

[eminencja]

Rendering plain text email is so much simpler and uses so much less CPU time/power that it could easily have a measurable effect on the global warming.

Re:Global warming

[antdude]

Also, faster speeds for slow Internet connections!

For Voyager529

You seem deprived. Here is a 5byte pr0n for you
(.Y.)

Email is not safe at all

[Rick+Schumann]

Let's be honest: unless you're sending and receiving email only from a whitelist of addresses, and encrypted end-to-end, email is not safe at all. Nevermind malware, clickbait, spoofing, phishing, and so on, unless you're doing as per above anything you send or receive can be compromised.

Of course what I'm saying is not that 'email is bad'; what I'm really saying is: the Internet, in general, has been so thoroughly compromised, that you can't trust it at all anymore. That's the world we've allowed to become reality, and I don't even know if it can be fixed.

The first thing that needs to change

[Baron_Yam]

Email needs to be 'notify and pull' not 'push'.

My mail server should be deciding if it wants to accept mail, and it should require an outbound connection attempt using DNS to do so. Spoofed sender addresses won't work so well if my server can't look up the domain MX record, or if the listed mail server doesn't know anything about the email I think it has for me.

Just that basic change would kill a lot of crap right off the bat.

Re:The first thing that needs to change

[Obfuscant]

Spoofed sender addresses won't work so well if my server can't look up the domain MX record,

MX records are not mandatory. The standards are quite clear on that, and how to deal with it. Any mail filter that blocks based on a missing MX record is violating the standards.

But zealots will be zealots. All kinds of standards-breaking goes on in the name of spam fighting. Empirical knowledge reigns. Things like the seemingly ubiquitous list of valid email address characters that was developed by some ignorant web programmer and ignores the existing explicit valid list. (And yes, I'm referring to the morons who ignore '+'.)

or if the listed mail server doesn't know anything about the email I think it has for me.

Not sure what you mean here, since the sending server obviously knows something about the email it has for you -- it's sending it. If you're saying that you should be able to connect back to the sending server to ask about email for you, then you've just created a huge security issue. How does the sending server validate your reverse access to know it really is you asking about email for you?

Re:The first thing that needs to change

[Baron_Yam]

Server A contacts Server B with a mail notification, with a sender email address and message serial number.

Server B disconnects. At its leisure, it looks up the domain mail server for the sender's email address. Then, it contacts that server and requests the message by sender and message ID. If there is a match, server A responds to server B with the email. If there isn't, Server A knows somebody just failed to send it spam, and Server B knows somebody is using its name or address to send spam.

Bot nets would be unable to exploit that (assuming you use sufficiently long message IDs to avoid brute forcing), and it would be much easier to blacklist spam domains.

Re:The first thing that needs to change

[Altrag]

Most (public) mail servers do most of that already. The only difference from what you're saying is that the "notify" is the entire email and the "pull" is just the reverse DNS lookup (and blacklist lookup and whatever other checks they do.)

The biggest problem is that all of this is optional, and many mail servers (especially private ones) are configured by default for ease of use rather than security (which makes sense -- there's no point hardening a system nobody can use in the first place.) Gmail has tried to lead the way on some of these issues -- they were one of the first providers, and I think the first really big/popular/well-known one, to make SSL non-optional for example. I realize that's only a tiny part of the chain but its a start.

If Google, Microsoft and Apple and maybe one or two other big name providers got together and started requiring SPF, DKIM, etc to all pass with a zero-tolerance policy, other providers and software packages would suddenly be pushing to add those features as secure-by-default because otherwise their products would stop working when sending emails to a large portion of the population. Same thing if they started requiring GPG (or similar) signatures. All of a sudden email signing would be an obvious and built-in part of almost every client out of the box.

Basically, we already have most if not all of the tools we need to secure email. We just (so far) haven't had the willpower to force the issue and at this point, the only people who have the clout to enforce such a will (if they decide to bother) are the largest handful of email providers.

Re:The first thing that needs to change

[Obfuscant]

Server A contacts Server B with a mail notification, with a sender email address and message serial number.

There is no "serial number". The message id is part of the header. The "sender email address" appears in the From: header and may have no relation to server A at all.

Then, it contacts that server and requests the message by sender and message ID.

So you go all the way to getting the data from the message just to disconnect and then ask for it all again. And you may try to connect to a server that has not been involved in any part of the process.

If there is a match, server A responds to server B with the email.

Message ids are not authentication. Second, how does the server know to whom it has delivered the message? It is not sufficient to ask for "sender/id", you must also ask by recipient. Just one quick second of thought shows that this would be a great way for someone to DOS an email sent to multiple recipients. I get the email with the entire To: and CC: headers, then connect to Server A asking for the message -- and now Server A thinks it has delivered it to all recipients, not just me. Fun.

If there isn't, Server A knows somebody just failed to send it spam,

Server A is the sending server. It's already been sent the message. It was trying to send it on to B in your hypothetical situation. And I hate to point out that the "sender email address" may be from any domain at all, not just the domain associated with A's HELO (or IP address). It is quite possible that your Server B would be contacting a server that has already processed and delivered the email you are now asking it for, or may have no knowledge of that email because the sender used a different server to send the email to begin with. For example, I have several email accounts set up on my mobile device that use just a couple mail servers for outgoing email. They know I'm valid because I AUTH with them prior to sending. You will see a domain in my From header that has nothing to do with the server I sent it out through, or the server that is the last one to handle it prior to your Server B.

And in any case, it is quite possible that a domain uses one server for outgoing email and a different one for incoming. I.e., the fact that my server A connects to your server B on your port 25 does not mean I have a server listening for your connections on port 25. My MX may be a completely different system on the other side of the planet.

Bot nets would be unable to exploit that (assuming you use sufficiently long message IDs to avoid brute forcing),

The message id is generated by the sender of the message and is unchanged during transit. You, as the recipient, or Server A as an MTA, have no say in how the message id is formed.

and it would be much easier to blacklist spam domains.

Your proposed idea does nothing to help this, and it requires that a large part of the spam be delivered to the recipient server to start with. And then it fails for any number of reasons that have nothing to do with the email being spam.

Yet another over-zealous standard violating anti-spam systems.

Re:The first thing that needs to change

> Gmail has tried to lead the way on some of these issues -- they were one of the first providers,
> and I think the first really big/popular/well-known one, to make SSL non-optional for example

Do they? I doubt it! I tried forcing TLS on connections and half my email contacts, newsletters and so on ceased to arrive!

It's a knowledge test/filter

You post reveals some very basic misunderstandings about email transport. I would not allow you to run corporate mail services without some significant training first!

I find that if someone sends me a pure text email, I can safely bet that they have a higher level of understanding of technology.

Really, it's just that simple. I don't get HTML mail from people who are highly skilled and knowledgeable computer scientists, ever.

Actually, you could hack those too

[Solandri]

I used to manage an email server and mailing list back in the 1990s. The MBOX format most text-based email programs used for storing mail uses two carriage returns and a "From " at the beginning of the next line as the deliminator for a new mail. That's it.

Occasionally people would send an email to the list which randomly had two blank lines followed by "From " as the first word of the next line. If your (text-based) email client wasn't smart to look at subsequent lines to determine that the person had just randomly typed it in the body of the email rather than the actual start of a new email, it would display it as if it was a new email message.

One day someone sent an email to the mailing list which deliberately abused this. The body was crafted so that the "From" in it and subsequent text was formatted like it was a real, separate email. And the people whose clients interpreted it as a new email got duped into thinking the mail list admin had banned them from the mailing list for inappropriate remarks. The perp was just playing a joke of course, but I shudder to think what modern spammers and phishers would do with that capability.

Re:Actually, you could hack those too

Well, the standards were quite clear about that: inline text had to use ">From" if a line started with "From".

I don't think I've seen a mailer that didn't do that, but it's not hard to believe there were some.

Global Texting.

You all realize the same arguments you're using to justify text-only could be applied to the web and it's attendant problems?

Just say No!

Lord love a duck! It shouldn't take a couple of couple of professor types to tell you that html mail is unsafe and auto-loading images auto verifies you e-mail address. I switched these options off more than 10 years ago about the time these 'features' started to appear.

case against unicode

[DrYak]

Though I personnally agree with you (unicode, specially UTF-8, is way too useful for users of language that don't fit inside ASCII)...

Why not Unicode?

Google Zalgo

Unicode is extremely complex, and although it's not a turing-complete language, it can already be abused a lot to pretty much fuck up any layout.

(e.g.: When Slashdot didn't block them in the subject line, it was possible to abuse "text direction" marker to actually put arbitrary text on the right side of the subject. I.e.: write a troll flamepost with a title that could add "(Score: 5, Insightful)" right on the place where the actual scoring would normally go)

(e.g.: Zalgo text, where diactirics (extra accents on characters) and other such decoration is progressively used on text to make a complete unreadable mess of it)

etc.

Lots of potential abuse, so that's why /. which is primarily a english speaking site will severly limit unicode use (and English itself is a language that can possibly be written by using exclusively ASCII - e.g.: by ignoring the rare word where characters could be optionally accented).

Re:case against unicode

[networkBoy]

IDK about the Unicode issue, but my mail client defaults to text only email.
When I get html formatted emails I have two options that I can set as default for untrusted senders:
render the incoming stream as text.
strip the HTML and attempt to render the text.
I opted for the latter, and it does present me with outright blank emails when the email is not even HTML but actually JS based content delivery in your in-box... which allows them to change the email contents after you've read it.

Trusted senders can be whitelisted to present as sent.

The client has a hook exposed for a pre-processor of incoming emails...
Maybe I can write a rendering engine to render to PDF...

Re:case against unicode

[Zero__Kelvin]

There was no reason to use the "Turing Complete" qualifier. You could have just said it isn't a language.

Postscript language.

[DrYak]

in this totally safe PDF?

Yes, Postscript is a turing complete language
(you can even write a ray tracer in it).

BUT

postscript can only output to the document (or screen), and can't read input from the internet.

Thus, as long as there isn't a critical bug in the displaying software...
- (Adobe Acrobat reader, I'm looking at you right now !),
...and as long as there isn't some asinine extra feature implemented...
- (you can bet that someone at microsoft on the outlook team would dream of a document viewer that can automatically extract attachments embed inside PDF files and execute them)
...there isn't an actual risk in opening random PDF files, except that some might take a few hours to render.

(And other can generate 1000 - worth of pages on the printer with only a few lines of code, if you're so stupid to send a raw post-script to the printer without even looking at it).

Re:Why no /. coverage of the Apple event?

[PPH]

Here you go. Live video.

Wrong conclusion: what's wrong w/markup?

[lpq]

The problems w/email are scripts and, potentially, links. Images? When was the last time you saw a bug in legacy image handling of GIF's, jpg's and png's? I've seen some new image formats that had bugs, but the old ones?

But even putting images aside -- I don't recall any bugs involving text formatting & markup. There's a big difference between full blown browser supported HTML, and basic text formatting used even on this site!

Are you reading this message? It's been formatted with HTML-markup. When's the last time slashdot has been a vector for a virus?

Seem like the researchers are just plain stupid if they can't differentiate between text markup commands and automation. Even slashdot allows links to articles -- are those suppose to be unsafe? What happens if I have the text "https://www.google.com/search?q=is+this+safe", in my text. Is that inherently unsafe?

Maybe its time for people to stop running around telling us the sky is falling?

Re:Wrong conclusion: what's wrong w/markup?

If the images are attachments, fine. The bug with images is that they're usually downloaded separately through a markup link, which lets the sender know when the message has been read (and perhaps other things).

The markup could be safe, but only if it was extremely well defined and extremely limited in scope. It's the opposite of what the marketers want, so there's always the push to add features which cannot be made safe.

coulda woulda shoulda

[NicePics13]

Sylpheed is great as it doesn't render HTML.

I set my email client to plain text

[jonwil]

I set my email client to plain text. 99% of emails I get are in plain text or are not worth reading (e.g. SPAM and junk). For the 1% of emails I get that aren't in plain text, are actually important and dont have a "go here to read this" link I turn on HTML, read the email, do what I need to with it and then turn HTML off again. (about the only time I have needed to do that recently is for vouchers from a fast food chain I visit regularly)

My email client is more secure than text-only!

My email client does not include or invoke a display routine, so even the exploits relating to text rendering are of no use against me. Instead, whenever it receives an e-mail, my email client selects a random chunk of addressable memory and overwrites the memory at that location with the contents of the inbound e-mail. Then, whenever my system crashes, I know I have mail, and it's probably important. If I decide to read my emails, I review my system core dumps. If nothing intelligible is logged there, it probably wasn't important anyway.

Clearly, there is no need for a well-defined interpreted-mode sandbox with a restricted interface to isolate the data and executable that handles the data (which may optionally include support scripting if all resources are packaged with the data), so that only a frame-buffer and keystrokes need to be considered!

SMTP requires 7-bit ASCII

SMTP requires 7-bit ASCII. This is THE standard.
MIME is also part of the standard, but 7-bit ASCII is REQUIRED to be included as well.

Any email server that doesn't include the 7-bit ASCII is flawed, out of spec. Have them fix it.

I kept getting blank emails from a support organization (outsourced). I told them it wasn't working, knowing it was because their email servers didn't follow the spec.

Ended up speaking to an Exchange admin there - showed him the RFC - he fixed his group of 100+ Exchange servers at the next maintenance window and all their emails had information again.

Forte Agent is my poison

[Trax3001BBS]

I POP3 my Email and Agent won't display HTML pages. I've used Agent since Win95 on, installing it once to D:\ and pulling shorcuts to it on every new install.

I'm starting to get a lot of Base64 but a webpage and nothing I'd open anyhow, most have a text only entry tacked on to the end just in case.

UNTRUE... apk

http://nakedsecurity.sophos.com/2012/05/09/what-the-rtf-mac-and-windows-users-at-risk-from-boobytrapped-documents/?utm_source=Naked+Security+-+Sophos+List&utm_medium=email&utm_campaign=1920f4ec20-naked%252Bsecurity

http://www.dshield.org/forums/diary/Getting+the+EXE+out+of+the+RTF/6703

http://www.avertlabs.com/research/blog/index.php/2007/05/25/rich-text-malware/" ADD_DATE="1314658632

http://nakedsecurity.sophos.com/2014/03/25/microsoft-issues-patch-for-word-zero-day-booby-trapped-rtf-files-already-used-in-attacks/?utm_source=Naked+Security+-+Sophos+List&utm_medium=email&utm_campaign=545ff7263f-naked%252Bsecurity&utm_term=0_31623bb782-545ff7263f-418465757

APK

P.S.=> Want more? Ask - the apps using RTF format can have issues w/ it too... apk

Re:UNTRUE... apk

[OrangeTide]

I normally don't reply to AC's claiming to be "APK" but I wouldn't want this much misinformation to go unanswered.

First link is addressed in my statement "The only time people run into issues is when a Microsoft Word document (.doc or .docx) is renamed to .rtf and loaded erroneously."

The second link is an OLE exploit and not supported by the RTF version I linked and referred to by the statement "The Rich Text Format from back in the 20th century ..."

Third link is a mispaste and doesn't work.

The fourth link refers to an interesting RCE, but I was not able to dig up the mechanism in the few minutes I spent writing this response. Maybe it's a valid reason not to use RTF, maybe it's just a bug in MS Office and associated DLLs and COM components.

Plain-text is not a panacea either, as we all are well aware of Unicode/UTF-8 bugs in several chat and email programs that allow stack smashing and shellcode. Granted those problems are theoretically easier to fix than an HTML5 email client's bugs.

It used to be a joke on newbies...

[whitroth]

"You can get a computer virus by reading an email!" (And you should see your doctor to get a vaccination for that....)

Then, and thank you SO FUCKING MUCH, Bill the Gates, he made it possible.

I read and send all my email in plain text, unless a) whoever sent it didn't know what they were doing, and made it impossible to read that way, and b) I know *exactly* who sent it. Not under any other circumstance. And it's *email*. I want to know what you have to say to me, and I don't care what it looks like.

To paraphrase Sam Goldwin, if you've got a video, sent it youtube.

Oddly enough, I've never gotten malware'd.

This, Just When Slashdot Changes The Daily Post

[tmjva]

Just the same day Slashdot changed the daily headlines again, (behind my back, without asking).

I now have to click the link ONE MORE TIME that says "Want to receive this in text?"

Re:This, Just When Slashdot Changes The Daily Post

[tmjva]

Belay that, clicking the link doesn't show anything about text vs. non-text.  All that link does is attempt to force you to tell slashdot your Job Title, Industry, Company Size, Country and State.  Then you have to check another box saying you agree to all this.  Been here 17 years or so, its not shown under my user account, I wonder where else does it go? 

Text-only

[DrYak]

Thunderbird has similar options :

- prefere plain text when available
- strip "advanced" formating (i.e.: remote bullshit and scripted crap) unless I whist list the correspondent.

The totally blank e-mail still happens (because, e.g. - the e-mail is entirely a remotely hosted picture - like a flyer).
But these e-mail never come from my usual correspondant any way.(*)
I don't even need to white-list them.

Nearly always they are some spam or other form of unsolicited mailing.
So I don't bother even paying attention.

If you're not even putting enough effort to make your mail decently readable,
you won't be spending any attention to you.

If that was some "important bill" and you subsequently try to sue me for not paying :
- you're a shitty company I won't deal any business with anymore, and won't even blink about it, there are tons of decent companies with whom to do business.
- be prepared to have your practice contested through consumer organisation. Welcome to Europe mother fucker.

----

even the HTML rich-editors used by my clueless friends :
- can output an alternative plain text form
- is simple enough that it can be displayed in "safe mode".

unicode formatting

[DrYak]

There was no reason to use the "Turing Complete" qualifier. You could have just said it isn't a language.

Modern Unicode is becoming so insanely complex, that it actually starts to border on a formatting language (like HTML and other markup language).
Just not a turing-complete one (i.e.: if you squint at it, it's closer to become HTML soon. Not Javascript).

Re:unicode formatting

[Zero__Kelvin]

That is a ridiculous claim. Unicode is an encoding scheme. It is no more of a language than the alphabet is a language, to wit, not in any way.

utf-8 vs unicode

[DrYak]

Unicode is an encoding scheme.

Not quite exactly.

UTF-8 is an encoding scheme. As in "how should I represent Unicode codepoints in a bitstream"
(in UTF-8's case : ASCII is coded as is, codepoints > 128 are encoded with sequences of multiple bytes with their high bit on).
(Windows's UCS-2 is a different one, in that case it's : write everything as 16bit integers, and fuck everything above codepoint 65535/0xFFFF)

Unicode is a unified collection of codepoints.
- some codepoint represent glyph on the screen (more or less letters and similar symbols)
- some codepoint represent emojis (color icons)
then there are other codepoint that represent inscruction about how to draw the above two :
- there are instruction to change the colors of emojis (there's a special "skin color" code to use natural-looking skin color on smileys instead of the cartoonish yellow)
- there are instruction about which direction the text should flow
- there are instruction about how to combine other glyphs together...
- a pair of code points (FFFE and FEFF - BOM "Byte Order Mark") control the encoding itself and how you should decode the subsequent bit stream.

I was referring to these last categories of codepoints when I was saying that if you squint in a way at it, it starts to look like a some sort of formatting language.

By using these categories, you can really screw and destroy the layout of a HTML page.

I bounced all HTML email

[PJ6]

at my first IT job and it was nearly 100% effective against spam.

This was at a time when everyone was getting 20-30 spam messages a day.

I can't for the life of me understand why this isn't done more - there is no compelling business reason to allow HTML email.