The Only Safe Email is Text-Only Email

Sergey Bratus, Research Associate Professor of Computer Science, Dartmouth College, and Anna Shubina, Post-doctoral Associate in Computer Science, Dartmouth College write: The real issue is that today's web-based email systems are electronic minefields filled with demands and enticements to click and engage in an increasingly responsive and interactive online experience. It's not just Gmail, Yahoo mail and similar services: Desktop-computer-based email programs like Outlook display messages in the same unsafe way. Simply put, safe email is plain-text email -- showing only the plain words of the message exactly as they arrived, without embedded links or images. Webmail is convenient for advertisers (and lets you write good-looking emails with images and nice fonts), but carries with it unnecessary -- and serious -- danger, because a webpage (or an email) can easily show one thing but do another. Returning email to its origins in plain text may seem radical, but it provides radically better security. Even the federal government's top cybersecurity experts have come to the startling, but important, conclusion that any person, organization or government serious about web security should return to plain-text email (PDF).

Well...duh...

[evolutionary]

We all know that embedded codes for dynamic engines in your OS or even the program reading the messages is just an invitation for trouble.

Microsoft lead the with with VB.Script in Outlook. ("I luv you" too...), then as marketing people wanted to decorate with fancy email signatures we started embedding HTML/Javascript, leading to clever tracking on web servers and javascript routines. The worst part is the default for email clients and web client is all HTML/Javascript.

We need the default on all email stuff to be text only for our own protection as well as the general health of cyberspace.

Oh the irony

[Apotekaren]

So we should go back to Text-Only email for security reasons, and more information can be found in this totally safe PDF?

Re:Oh the irony

[nine-times]

It seems to me that these things, in that we could really use a display format that can't actively do anything. For example, it should be possible to develop a safe subset of HTML that allows some basic formatting, but doesn't provide features that can create security holes. Similarly with PDF, we should be able to create a safe PDF format, and then set PDF viewers to only allow that form of PDF.

But no, that's not good enough. We need PDFs can can run Javascript and embed movies. For some reason.

Disable embedded images?

[ilsaloving]

I've always configured all my email clients to not autodownload linked images unless I specifically want them. This blocks trackers and such, but if people start embedding javascript in email, then that doesn't help much.

Then why is it so unpopular?

[Voyager529]

The folks at Dartmouth may well be correct in that plaintext e-mail is safest. However, does that really make it the best solution anymore?

Look, I've got "that secretary" who uses borderline-illegible script fonts on stationery and ConstantContact blasts annoy me, as well. HTML mail does indeed have its downside and I don't disagree that it opens up at least some amount of security holes.

At the same time, plaintext e-mail has its faults, too. The color separation makes it clear when you've cleared the 'new message' in the thread, as does the stylized header. Inline image embedding is abused by marketers, but it makes it far easier to send tutorials or support requests via screenshot sequences. Yes, clickable links are a security risk, but that's how password reset e-mails work now. Do you really expect users to copy the complete URL into the address bar without an issue? If there's a line break in there, you're really screwed.

All of that hasn't even begun to address attachments, because technically it is possible for mail attachments to count as both a part of plaintext e-mails and not. Attachments are a mess, but we've stopped allowing people to e-mail executable files, for the most part. The attachment file types themselves, however, are a mess. Outlook cries wolf at *every* attachment, which makes it "the dialog box to ignore" - itself a UI problem of its own faults. The fact that the last few ransomware attacks I took care of were sourced from a malicious ActiveX payload on a Word document is only as stupid as the fact that there is still a whole lot of software that depends on ActiveX and Macros to function. If Microsoft is too easy a target, then Adobe has some splanin' to do when it comes to the fact that javascript can be embedded into a PDF. I've only seen it ever legitimately used for calculations and validations; is it really that hard to have a dedicated software function for that? The list of such issues is quite extensive, but I think my case on this point is made.

Ultimately, the fact that HTML mail is as ubiquitous as it is has to do with the fact that e-mail as it was originally designed (plaintext, 80x25) is no longer meeting the needs of most people who use it. However, its extensibility is amongst the reasons why e-mail is still as heavily used as it is, long after its contemporaries (IRC, Usenet, others) have faded into niche roles while e-mail is still mainstream.

Meanwhile, most free e-mail providers are pretty good at filtering malicious e-mails, spam filters for on-prem mail filters have reached a pretty good level of maturity, so there are plenty of safeguards in place that have brought the danger down significantly, to the point where e-mail is one piece of the vector rather than the vector itself, and has been for some time.

I pose this question to the Slashdotters who agree with the Dartmouth researchers: Whenever sweeping legislation or military action comes up around here, a post based on Ben Franklin's thoughts regarding trading liberty for security are almost invariably stated, and frequently modded up to a +4 or +5. Now that the "liberty for security" question is on the other foot, when we're discussing trading liberty (more useful e-mail) for security, why does the mindset seem to be flipped? I'm not saying free-for-all e-mail with no spam filters or blacklists are ideal, but I am saying that for all of the ways that e-mail gets abused, it's gotten to the point where it is all but guaranteed to prompt the user before causing trouble, if it gets through the IP blacklists, keyword blacklists, attachment filters, virus scanners, default mail client settings, attachment warnings, application warnings, and UAC prompts...I doubt plaintext would have solved the issue in itself. To champion a function regression in the name of 'security' sounds like the kind of mindset which, according to Franklin, deserves neither liberty nor security.

Re:Then why is it so unpopular?

[Obfuscant]

At the same time, plaintext e-mail has its faults, too. The color separation makes it clear when you've cleared the 'new message' in the thread, as does the stylized header.

You have no clue what you're saying here. The "new message" flag is a function of the gui or text client, not the email itself. Alpine shows an "N" next to new messages, and that's pretty clear. Evolution uses bold to show new messages, in the message list.

Inline image embedding is abused by marketers, but it makes it far easier to send tutorials or support requests via screenshot sequences.

Images do not have to be inline to be useful.

Yes, clickable links are a security risk, but that's how password reset e-mails work now.

"Because some idiots who don't know good programming and security practices do it this way, it must be good."

News flash: there are mail systems that actually connect to anything in a message that looks like a URL as a way of testing for malmail. I sent someone an email with a link to a website I run and almost instantly I saw "them" access that link in the logs. Not them, the mail server that was scanning their incoming email. Any "one time reset" link sent to that user is not going to work, ever, because the server will have exhausted the "one time" access.

Do you really expect users to copy the complete URL into the address bar without an issue? If there's a line break in there, you're really screwed.

Yes, and of course not. I do it all the time. "Line breaks" in the URL are not a problem. Firefox handles them just fine.

All of that hasn't even begun to address attachments, because technically it is possible for mail attachments to count as both a part of plaintext e-mails and not.

If you don't know what you are talking about, please don't comment on technical things. Attachments are attachments. They are not part of the plain-text body.

The attachment file types themselves, however, are a mess. Outlook cries wolf at *every* attachment,

Say no more, I now understand why you think the way you do. Outlook is a piece of shit created by Microsoft that goes out of its way to avoid the existing standards for email, and is the source of the abomination known as "winmail.dat". If you think Outlook is some baseline to which good email practices should be compared, then you are ... well, enough said. The rest of your rant is thus made moot.

Thunderbird, viewing in Plain Text ...

[fahrbot-bot]

I use Thunderbird and POP3, view my messages in Plain Text, have Javascript and all plugins disabled -- for those cases where I have to view the message body as HTML because (for some reason) nothing (or not everything) displays in Plain Text mode (which annoys me to no end, anyone have a workaround?).

I'm confident that I'm not missing out on anything by viewing in Plain Text, 'cause it's freaking email, not art.

Re:Why no /. coverage of the Apple event?

[mspohr]

Only fanbois care about this