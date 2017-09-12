Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
Communications Privacy Security

The Only Safe Email is Text-Only Email (theconversation.com) 39

Posted by msmash from the modest-proposal dept.
Sergey Bratus, Research Associate Professor of Computer Science, Dartmouth College, and Anna Shubina, Post-doctoral Associate in Computer Science, Dartmouth College write: The real issue is that today's web-based email systems are electronic minefields filled with demands and enticements to click and engage in an increasingly responsive and interactive online experience. It's not just Gmail, Yahoo mail and similar services: Desktop-computer-based email programs like Outlook display messages in the same unsafe way. Simply put, safe email is plain-text email -- showing only the plain words of the message exactly as they arrived, without embedded links or images. Webmail is convenient for advertisers (and lets you write good-looking emails with images and nice fonts), but carries with it unnecessary -- and serious -- danger, because a webpage (or an email) can easily show one thing but do another. Returning email to its origins in plain text may seem radical, but it provides radically better security. Even the federal government's top cybersecurity experts have come to the startling, but important, conclusion that any person, organization or government serious about web security should return to plain-text email (PDF).

The Only Safe Email is Text-Only Email More | Reply

The Only Safe Email is Text-Only Email

Comments Filter:

  • D'oh (Score:1)

    by Anonymous Coward

    When you try to sound sincere but link to a PDF!

  • Want to know why? Read the PDF! (Score:1)

    by Anonymous Coward

    "...should return to plain-text email (PDF)."

    That's hilarious.

  • is ASCII.

    Also: go ahead, explain to me why it is that my computer needs to have a turd glyph stored on it.

    • Re: (Score:1)

      by Anonymous Coward

      is ASCII.

      Also: go ahead, explain to me why it is that my computer needs to have a turd glyph stored on it.

      Because Stargates can't connect without a point of origin.

    • Why not Unicode? Especially when all the major platforms support a variety of languages using Unicode conventions! Everyone's not Slashdot!

  • Well...duh... (Score:3)

    by evolutionary ( 933064 ) on Tuesday September 12, 2017 @01:30PM (#55181865)
    We all know that embedded codes for dynamic engines in your OS or even the program reading the messages is just an invitation for trouble.

    Microsoft lead the with with VB.Script in Outlook. ("I luv you" too...), then as marketing people wanted to decorate with fancy email signatures we started embedding HTML/Javascript, leading to clever tracking on web servers and javascript routines. The worst part is the default for email clients and web client is all HTML/Javascript.

    We need the default on all email stuff to be text only for our own protection as well as the general health of cyberspace.

  • Oh the irony (Score:4, Insightful)

    by Apotekaren ( 904220 ) on Tuesday September 12, 2017 @01:30PM (#55181867)

    So we should go back to Text-Only email for security reasons, and more information can be found in this totally safe PDF?

  • It's on by default, not just for the "market" but for users too, because we need to be able to see emojis and an image macro of a "minion" who doesn't like Mondays.

    LessthansymbolSarcasmclosetagGreaterthansymbol

    Exceptions don't make the rule, rendering email should be a toggle for the cases you need it. If any. An "always on" opt-in would be fine, user-elected consequences. If you're scared of people asking where the emoji are, just have one of those "Media content detected, may not render in safety-mode, cl

  • I've always configured all my email clients to not autodownload linked images unless I specifically want them. This blocks trackers and such, but if people start embedding javascript in email, then that doesn't help much.

  • The Rich Text Format [microsoft.com] from back in the 20th century does not support macros and there are no known exploits for it in the last 18 years. The only time people run into issues is when a Microsoft Word document (.doc or .docx) is renamed to .rtf and loaded erroneously. But with e-mail the MIME types and integrated viewer and editor would avoid that file extension hole. (that same hole would exist for .txt if MS Office were the default program for that extension, mostly that's just Office being terrible)

    Theoreti

  • Been reconfiguring my email and web clients to send text only and not to display or download images. Fun at corporate when I don't see folks idiot corporate icons and backgrounds. Heck, I seldom click on attachments from others in the company (certainly not from external sources) for a couple of hours at minimum. I already know my boss doesn't love me :)

    A couple of years back, corporate came out with a standard signature block with html, images, and links. I kicked back with a request for a text only signat

  • Anyone having deja vu? I used to work on a dumb terminal hooked up to a large Sun serve. My email was text only Alpine. After years of fancy new computers and email systems, what are many IT directors going towards? A central VMware server, dumb terminals, and text based email.

  • We've known this for many years. It's why the first thing I do with any mailreader is disable HTML.

  • Email my mother a plain text email that says "Your Adobe Flash is out of date, copy this link into your browser to update it" and she's probably going to do it. The only safe computer for her is something like a commodore 64 without internet access.

  • The folks at Dartmouth may well be correct in that plaintext e-mail is safest. However, does that really make it the best solution anymore?

    Look, I've got "that secretary" who uses borderline-illegible script fonts on stationery and ConstantContact blasts annoy me, as well. HTML mail does indeed have its downside and I don't disagree that it opens up at least some amount of security holes.

    At the same time, plaintext e-mail has its faults, too. The color separation makes it clear when you've cleared the 'new

  • I use Thunderbird and POP3, view my messages in Plain Text, have Javascript and all plugins disabled -- for those cases where I have to view the message body as HTML because (for some reason) nothing (or not everything) displays in Plain Text mode (which annoys me to no end, anyone have a workaround?).

    I'm confident that I'm not missing out on anything by viewing in Plain Text, 'cause it's freaking email, not art.

Slashdot Top Deals

It is much easier to suggest solutions when you know nothing about the problem.

Close