The Only Safe Email Is Text-Only Email

Discussion in '[H]ard|OCP Front Page News' started by Megalith, Sep 12, 2017.

  1. Megalith

    Megalith 24-bit/48kHz Staff Member

    Messages:
    11,092
    Joined:
    Aug 20, 2006
    Researchers are saying that only plain-text email is safe and we should all revert to it: while webmail is convenient for advertisers (and lets you write good-looking emails with images and nice fonts), it carries with it unnecessary and serious danger, as a webpage (or email) can easily show one thing but do another. Returning email to its origins in plain text may seem radical, but it provides radically better security.

    “Organizations should ensure that they have disabled HTML from being used in emails, as well as disabling links. Everything should be forced to plain text. This will reduce the likelihood of potentially dangerous scripts or links being sent in the body of the email, and also will reduce the likelihood of a user just clicking something without thinking about it. With plain text, the user would have to go through the process of either typing in the link or copying and pasting. This additional step will allow the user an extra opportunity for thought and analysis before clicking on the link.”
     
  2. dgingeri

    dgingeri 2[H]4U

    Messages:
    2,220
    Joined:
    Dec 5, 2004
    Agreed. All the extra complexity is unnecessary, and introduces error.
     
  3. Wolf_Tech

    Wolf_Tech Limp Gawd

    Messages:
    162
    Joined:
    Sep 19, 2010
    Been using plain text emails since i got on the internet in 1995. People hated me for it for a long time. Thought I was not up to date with the times. Now they love my plain text emails. lol.
     
    Flatline, PaulP, metadata and 2 others like this.
  4. Spidey329

    Spidey329 [H]ardForum Junkie

    Messages:
    8,225
    Joined:
    Dec 15, 2003
    They could develop a hybrid standard option that could be rolled out to the email client only. Call it Rich Text Email or something.

    Disable JavaScript
    Disable Images
    Disable Hyperlinking aliases (e.g. a hyperlink reverts to the link address)


    That way you could still receive HTML-based text markup, without the danger of hidden scripts and disguised links. People like their rich text - the alternative would be developing a new markup standard for emails which would require both the sender and receiver have the protocol in their client.

    Added bonus, no large spam image emails and they can't track whether you read it by implanting an image (serialized unique image per email, if it gets loaded from the server, you know that the email was read with images on).
     
    Last edited: Sep 12, 2017
    Wrecked Em, PaulP and CacaSapo like this.
  5. Advil

    Advil [H]ard|Gawd

    Messages:
    1,557
    Joined:
    Jul 16, 2004
    I've been saying this for many years. We have infected the entire internet with feature creep. We must have primary forms of communication that are inherently safe and simple with no real fear of malicious code.

    Email needs to be one of those. It needs to be text communication. It needs to get where it is going. It needs to be safe every time. It needs to be usable without any complication or fear for an 8 year old or an 80 year old.

    Next we need to start getting control over what web pages and ads should be allowed to do inside a web browser.
     
    PaulP and CacaSapo like this.
  6. lcpiper

    lcpiper [H]ardForum Junkie

    Messages:
    8,534
    Joined:
    Jul 16, 2008
    You need separate devices for fun and play, or virtual devices within devices, but separate devices is more secure overall. Don't do serious shit on your play devices.
     
    viscountalpha likes this.
  7. spugm1r3

    spugm1r3 Gawd

    Messages:
    946
    Joined:
    Sep 28, 2012
    This seems to ignore the whole reason why rich text and being able to link in an email is necessary in the workplace. While I agree with it in principle, the purpose is the efficiency of sharing information. A bulleted list with asterisks is not nearly as legible as an actual bulleted list. And if you've ever worked at a company that uses SharePoint for document storage, reading through an email with multiple links as text makes you want to gouge your eyes out.

    This isn't a solution. This is what you do when a solution doesn't exist.
     
  8. Sp33dFr33k

    Sp33dFr33k 2[H]4U

    Messages:
    2,482
    Joined:
    Apr 20, 2002
    The web should be text only as well. No one needs video, images, sound, etc. Think how fast web pages would load.
     
    Wrecked Em likes this.
  9. GT98

    GT98 [H]ard|Gawd

    Messages:
    1,120
    Joined:
    Aug 29, 2001
    The DOD has been doing this for years now...
     
  10. SolidBladez

    SolidBladez [H]ardness Supreme

    Messages:
    6,153
    Joined:
    Jan 4, 2008
    But.. but porn man.
     
  11. SvenBent

    SvenBent [H]ard|Gawd

    Messages:
    1,805
    Joined:
    Sep 13, 2008
    protonmail an d scryptmail only provids the text only part of it as default. you have to click a button to se the wbe context. i like that
     
    DigitalGriffin and darckhart like this.
  12. darckhart

    darckhart n00bie

    Messages:
    43
    Joined:
    Jun 15, 2013
    Yep, people always wondered why my emails looked so plain. Because it's not full of that stupid html! Email is purely to get a simple point across. Any more than that and you probably should be using something else. Plus I don't know how many hours I've wasted trying to get a fancy html email signature to work right across all devices just to appease some creative/marketer schmuck at the company.
     
    PaulP likes this.
  13. Jovian

    Jovian Limp Gawd

    Messages:
    244
    Joined:
    Jun 8, 2004
    Im kind of doing this already. I use the "Ask before displaying external images" option in gmail and its great for security and load times. If I need to load images like some vendors put text images I have the option to.
     
    PaulP likes this.
  14. jedijeb13

    jedijeb13 Limp Gawd

    Messages:
    158
    Joined:
    Feb 15, 2017
    I hate when some companies put all the important text in an image instead of just the text. I have my email at work set to not display images and on several from the equipment vendors show up with practically no information showing up until I load the image.

    And then there are the admin people at work who just love to use come crazy fonts that you can hardly read or colors that are so light that it blends into the white background. One of the reasons I like this site, the black background is so much easier on the eyes, especially if you are in a dark room.
     
    PaulP and bigthoughts like this.
  15. lcpiper

    lcpiper [H]ardForum Junkie

    Messages:
    8,534
    Joined:
    Jul 16, 2008

    Flip that script bro.

    What it is, is more secure. An insecure solution is called a vulnerability.

    I get what you are saying but the Army does this and when I get emails with links it looks like ass usually, because the initial email was laid out all pretty with colors and images and links, so when the Army strips all that out then it leaves you with this horrible mess of crappy hard to decipher text. But that isn't what it looks like when a person just types and email with a targeted purpose and pastes a link or two in it. Neatly separated, it's much easier to deal with and it's ....... drum roll please ...... more secure.

    And if you want to send pretty and bullets with nice formatting, send it as an attached file and don't embed that shit in the email itself.
     
    spugm1r3 likes this.
  16. katanaD

    katanaD Limp Gawd

    Messages:
    333
    Joined:
    Nov 15, 2016
    Wrecked Em, SvenBent and SolidBladez like this.
  17. spugm1r3

    spugm1r3 Gawd

    Messages:
    946
    Joined:
    Sep 28, 2012
    Point taken. If we were all in the military, this would be a pretty simple conversation; perhaps infuriating, but predictable. As it is, we are not, and this is anything but a simple conversation.

    Pure security is isolation. Pure functionality is completely connected. The solution to this problem has to be some agile point in between, like an AI with the sole purpose of it's existence being to emulate your worst user.

    Attachments, by the way, are a big vulnerability, so if we are talking security, those have to go too. :D
     
  18. modi123

    modi123 2[H]4U

    Messages:
    3,760
    Joined:
    Sep 6, 2006
    It would help stop people like Karen from accounting sending out emails with asinine fonts and backgrounds.

    [​IMG]
    [​IMG]

    Ya hear that Karen?! NO ONE LIKES YOUR DAMN BACKGROUNDS!
     
    drescherjm likes this.
  19. lcpiper

    lcpiper [H]ardForum Junkie

    Messages:
    8,534
    Joined:
    Jul 16, 2008

    Attachments are not a vulnerability, hence the reason the Army allows attachments. But they do control the file types, no executable, no image files, etc. But you can send word docs and excel spreadsheets to your hearts content.

    Before you go knocking the world's largest Enterprise you should consider that it is an Enterprise so large that Microsoft told the Army it couldn't be done, and of course the Army did make it work. Of course it suffers issues, but it works.
     
  20. Jahx

    Jahx [H]Lite

    Messages:
    100
    Joined:
    Mar 29, 2005
    In the end, you have to secure for the lowest common denominator. IT Sec is too fast paced for anyone not in the industry to really keep up, and while basic, common sense habits can do a lot to reduce risk, common sense is sadly uncommon when end users are faced with technology. I have been pushing an initiative for years now to go to plain text email for in house communications. Sadly, my desire for security is over ridden by a few mid level executives who prefer fancy colors and logos to security. But guess who catches hell when those same execs compromise our network?
     
  21. spugm1r3

    spugm1r3 Gawd

    Messages:
    946
    Joined:
    Sep 28, 2012
    I wasn't knocking it, nothing but respect. I was in the red-headed step-child service for 8 years, so I've seen first hand what discipline can do in volume. Just commenting that expecting discipline anywhere else will often leave you disappointed.
     
  22. Romale23

    Romale23 Gawd

    Messages:
    880
    Joined:
    Dec 12, 2006
    Not to be that guy but there is a unicode character for a bullet. I totally agree with links and SharePoint. There would have to be a way to address that (for anything SharePoint like). 2 Jobs ago i worked at a place that auto fired you if you sent an email with an attachment. Was amazed at the actual efficiency gains the forced change in workflow created.
     
  23. lcpiper

    lcpiper [H]ardForum Junkie

    Messages:
    8,534
    Joined:
    Jul 16, 2008

    I didn't realize I was coming off as defensive, it wasn't intentional. Discipline is easy when it's managed by Group Policy :D
     
    spugm1r3 likes this.