Text vs HTML: what is more secure?

There are “good” mailing lists and “not so good” mailing lists from the point of view of security.

Try posting HTML mail to a “good” and one of two things will happen.

  1. If you have a mailer that includes the plain text then the list
    software will discard that, forward the plain text to the list
    with a message reading

    [Non-text portions of this message have been removed]

    I’m sure you’ve seen that message in posts on yahoogroups and similar.

  2. If you have a mailer that doesn’t include the plain text
    then one of two things may happen:

    1. The plain text version is displayed, but being null the text that appears is
      empty, but you still get

      [Non-text portions of this message have been removed]

      I’m sure you’ve seen that too.

    2. The list software does its best to convert the html to plain text by stripping
      off the html tags. This works, but may
      produce some odd results. However you still get

      [Non-text portions of this message have been removed]

Of course none of this matters to some of us.
We have ‘sanitizers” in our spam filters and use smart in our mailer, like in Thunderbird, where the display selector gives the choice:

Display message body as:    * Plain Text
                                       o Original HTML
                                       o Simple

There is also the option of compose in plain text or HTML.

Do the MS-Window mailers – other than Thunderbird – offer these alternatives? I don’t know, I don’t use them. I always recommend Thunderbird (and Firefox) because of the security plugins available.

But then I run Linux, as you all well know by now.
Personally I think the arguments that ‘Linux only seems to be secure because its a marginal market‘ are foundless. Since so many of the large financial organizations are running Linux or a variant of UNIX there would be great pickings. MS-Vista, and now Windows-7 are applying
security principles that *NIX has had for many decades.

When discussing this with clients I often give the example of a HTML mail message that might be passed around a company:

Here is the latest emergency upgrade from Microsoft to deal with the
Google-China hack that has seen so much press recently.  Please
install it on all your machines right away.
   <a href="http://www.evilhackerssite.com/downloads/nastytrojan.exe">

Really its an example of social engineering. This might purport to come from “Jack in IT”, but we all know how easy it is to forge mail headers. The end result is, as we all know, no different from visiting a rogue site on the web and downloading the trojan.
We, all us “security experts”, keep telling people not to visit rogue sites and not to download that kind of stuff. Where we can we try to et up filters or even have such sites taken down.

So how can we, in good conscience, permit or condone HTML mail?

Some people will argue that its a battle that’s been fought and lost. In many establishments that’s true, but there is a good argument against it:

I don’t mean just the economics of the cost of recovery, clean-up, reimaging, data leakage and whatever. Like ROSI those are hard to project and are full of “if” and “maybe”.

No, I mean real, measurable costs.

Send yourself a HTML e-mail, composed as so many are with those Microsoft tools that produce such awful HTML, treating each line as a new item and resetting the font. (Go look if you don’t believe me.) It probably includes the plain text as well. Note the size in bytes.

Now run that through a sanitizer to strip out the HTML and leave only the plain text. Note the size in bytes.

How much have you saved? Now multiply that by your e-mail traffic, the amount of e-mail you have to archive each year. What does that cost in terms of storage? And backup? Do you need concern about bandwidth?
Perhaps you also need to be able search the archived mail. Greping plain text is a lot easier, faster.

You *can* put numbers to this. They may not be dramatic, but they are going to accumulate over the years. Media may get cheaper, but that also means the effort of transfering those archives.

It may not be a great argument, but I’ve seen managers surprised when they see the numbers; they were quite unaware of the volume of e-mail their organizations were handling and what the impact on IT processing and the costs were.

The arguments in favour of HTML e-mail seem odd. Why should coloured fonts, or having bold and underline as HTML be so important? I have a plugin for Thunderbird that makes words like *this* and _this_ appear as *bold* and _underlined_, so there is no benefit in using HTML.

HTML e-mail may be great for kids who want to fancy up their mail to look like their web pages (facebook … etc), but in a professional context it is highly questionable.

It is most certainly the domain of spammers and social engineers.

Which is why I often put this in asa signature block in my plain-text e-mail:

     \ / ASCII Ribbon Campaign
      X  Against HTML Mail
     / \

See also “The 25 Most Common Mistakes in Email Security

Reblog this post [with Zemanta]

About the author

Security Evangelist

Leave a Reply