The Only Safe Email Is Text-Only Email

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Researchers are saying that only plain-text email is safe and we should all revert to it: while webmail is convenient for advertisers (and lets you write good-looking emails with images and nice fonts), it carries with it unnecessary and serious danger, as a webpage (or email) can easily show one thing but do another. Returning email to its origins in plain text may seem radical, but it provides radically better security.

“Organizations should ensure that they have disabled HTML from being used in emails, as well as disabling links. Everything should be forced to plain text. This will reduce the likelihood of potentially dangerous scripts or links being sent in the body of the email, and also will reduce the likelihood of a user just clicking something without thinking about it. With plain text, the user would have to go through the process of either typing in the link or copying and pasting. This additional step will allow the user an extra opportunity for thought and analysis before clicking on the link.”
 
They could develop a hybrid standard option that could be rolled out to the email client only. Call it Rich Text Email or something.

Disable JavaScript
Disable Images
Disable Hyperlinking aliases (e.g. a hyperlink reverts to the link address)


That way you could still receive HTML-based text markup, without the danger of hidden scripts and disguised links. People like their rich text - the alternative would be developing a new markup standard for emails which would require both the sender and receiver have the protocol in their client.

Added bonus, no large spam image emails and they can't track whether you read it by implanting an image (serialized unique image per email, if it gets loaded from the server, you know that the email was read with images on).
 
Last edited:
I've been saying this for many years. We have infected the entire internet with feature creep. We must have primary forms of communication that are inherently safe and simple with no real fear of malicious code.

Email needs to be one of those. It needs to be text communication. It needs to get where it is going. It needs to be safe every time. It needs to be usable without any complication or fear for an 8 year old or an 80 year old.

Next we need to start getting control over what web pages and ads should be allowed to do inside a web browser.
 
You need separate devices for fun and play, or virtual devices within devices, but separate devices is more secure overall. Don't do serious shit on your play devices.
 
This seems to ignore the whole reason why rich text and being able to link in an email is necessary in the workplace. While I agree with it in principle, the purpose is the efficiency of sharing information. A bulleted list with asterisks is not nearly as legible as an actual bulleted list. And if you've ever worked at a company that uses SharePoint for document storage, reading through an email with multiple links as text makes you want to gouge your eyes out.

This isn't a solution. This is what you do when a solution doesn't exist.
 
The web should be text only as well. No one needs video, images, sound, etc. Think how fast web pages would load.
 
Yep, people always wondered why my emails looked so plain. Because it's not full of that stupid html! Email is purely to get a simple point across. Any more than that and you probably should be using something else. Plus I don't know how many hours I've wasted trying to get a fancy html email signature to work right across all devices just to appease some creative/marketer schmuck at the company.
 
  • Like
Reactions: PaulP
like this
Im kind of doing this already. I use the "Ask before displaying external images" option in gmail and its great for security and load times. If I need to load images like some vendors put text images I have the option to.
 
  • Like
Reactions: PaulP
like this
I hate when some companies put all the important text in an image instead of just the text. I have my email at work set to not display images and on several from the equipment vendors show up with practically no information showing up until I load the image.

And then there are the admin people at work who just love to use come crazy fonts that you can hardly read or colors that are so light that it blends into the white background. One of the reasons I like this site, the black background is so much easier on the eyes, especially if you are in a dark room.
 
spugm1r3 said:
This seems to ignore the whole reason why rich text and being able to link in an email is necessary in the workplace. While I agree with it in principle, the purpose is the efficiency of sharing information. A bulleted list with asterisks is not nearly as legible as an actual bulleted list. And if you've ever worked at a company that uses SharePoint for document storage, reading through an email with multiple links as text makes you want to gouge your eyes out.

This isn't a solution. This is what you do when a solution doesn't exist.
Click to expand...


Flip that script bro.

What it is, is more secure. An insecure solution is called a vulnerability.

I get what you are saying but the Army does this and when I get emails with links it looks like ass usually, because the initial email was laid out all pretty with colors and images and links, so when the Army strips all that out then it leaves you with this horrible mess of crappy hard to decipher text. But that isn't what it looks like when a person just types and email with a targeted purpose and pastes a link or two in it. Neatly separated, it's much easier to deal with and it's ....... drum roll please ...... more secure.

And if you want to send pretty and bullets with nice formatting, send it as an attached file and don't embed that shit in the email itself.
 
lcpiper said:
Flip that script bro.

What it is, is more secure. An insecure solution is called a vulnerability.

I get what you are saying but the Army does this and when I get emails with links it looks like ass usually, because the initial email was laid out all pretty with colors and images and links, so when the Army strips all that out then it leaves you with this horrible mess of crappy hard to decipher text. But that isn't what it looks like when a person just types and email with a targeted purpose and pastes a link or two in it. Neatly separated, it's much easier to deal with and it's ....... drum roll please ...... more secure.

And if you want to send pretty and bullets with nice formatting, send it as an attached file and don't embed that shit in the email itself.
Click to expand...

Point taken. If we were all in the military, this would be a pretty simple conversation; perhaps infuriating, but predictable. As it is, we are not, and this is anything but a simple conversation.

Pure security is isolation. Pure functionality is completely connected. The solution to this problem has to be some agile point in between, like an AI with the sole purpose of it's existence being to emulate your worst user.

Attachments, by the way, are a big vulnerability, so if we are talking security, those have to go too. :D
 
It would help stop people like Karen from accounting sending out emails with asinine fonts and backgrounds.

Haunted-Halloween-Email-Stationery-Outlook.jpg

send.jpg

Ya hear that Karen?! NO ONE LIKES YOUR DAMN BACKGROUNDS!
 
spugm1r3 said:
Point taken. If we were all in the military, this would be a pretty simple conversation; perhaps infuriating, but predictable. As it is, we are not, and this is anything but a simple conversation.

Pure security is isolation. Pure functionality is completely connected. The solution to this problem has to be some agile point in between, like an AI with the sole purpose of it's existence being to emulate your worst user.

Attachments, by the way, are a big vulnerability, so if we are talking security, those have to go too. :D
Click to expand...


Attachments are not a vulnerability, hence the reason the Army allows attachments. But they do control the file types, no executable, no image files, etc. But you can send word docs and excel spreadsheets to your hearts content.

Before you go knocking the world's largest Enterprise you should consider that it is an Enterprise so large that Microsoft told the Army it couldn't be done, and of course the Army did make it work. Of course it suffers issues, but it works.
 
In the end, you have to secure for the lowest common denominator. IT Sec is too fast paced for anyone not in the industry to really keep up, and while basic, common sense habits can do a lot to reduce risk, common sense is sadly uncommon when end users are faced with technology. I have been pushing an initiative for years now to go to plain text email for in house communications. Sadly, my desire for security is over ridden by a few mid level executives who prefer fancy colors and logos to security. But guess who catches hell when those same execs compromise our network?
 
lcpiper said:
Attachments are not a vulnerability, hence the reason the Army allows attachments. But they do control the file types, no executable, no image files, etc. But you can send word docs and excel spreadsheets to your hearts content.

Before you go knocking the world's largest Enterprise you should consider that it is an Enterprise so large that Microsoft told the Army it couldn't be done, and of course the Army did make it work. Of course it suffers issues, but it works.
Click to expand...

I wasn't knocking it, nothing but respect. I was in the red-headed step-child service for 8 years, so I've seen first hand what discipline can do in volume. Just commenting that expecting discipline anywhere else will often leave you disappointed.
 
spugm1r3 said:
This seems to ignore the whole reason why rich text and being able to link in an email is necessary in the workplace. While I agree with it in principle, the purpose is the efficiency of sharing information. A bulleted list with asterisks is not nearly as legible as an actual bulleted list. And if you've ever worked at a company that uses SharePoint for document storage, reading through an email with multiple links as text makes you want to gouge your eyes out.

This isn't a solution. This is what you do when a solution doesn't exist.
Click to expand...
Not to be that guy but there is a unicode character for a bullet. I totally agree with links and SharePoint. There would have to be a way to address that (for anything SharePoint like). 2 Jobs ago i worked at a place that auto fired you if you sent an email with an attachment. Was amazed at the actual efficiency gains the forced change in workflow created.
 
spugm1r3 said:
I wasn't knocking it, nothing but respect. I was in the red-headed step-child service for 8 years, so I've seen first hand what discipline can do in volume. Just commenting that expecting discipline anywhere else will often leave you disappointed.
Click to expand...


I didn't realize I was coming off as defensive, it wasn't intentional. Discipline is easy when it's managed by Group Policy :D
 
You must log in or register to reply here.
Back
Top