[imc-oxford-features] proposed feature

[Mr. Demeanour]

Sarah Lasenby wrote:
> Jack I am interested to know in what way it is safer ?

1. HTML email often contains web-bugs, which are single-pixel tranparent
    images loaded from some arbitrary website. The log on that website
    will show that you opened the email, and what IP address you used at
    the time you opened it. This is unavoidable, if you render email as
    HTML, unlike "read notification", which is sent at your discretion.

2. Unless your web-browser AND mail client are properly configured, it
    is possible for HTML-formatted email to contain Javascript, which can
    do a variety of things, depending on your security settings and what
    vulnerabilities are present on your system, including (e.g.) sending
    all of your passwords and contacts to some IRC channel.

Email was invented as a text-only medium. As an afterthought, the
ability was added to include attachments of arbitrary content-types.
HTML-formatted email was a Microsoft invention, introduced with Outlook
and Outlook Express; it involved designating that an HTML "attachment"
was to be displayed as the body of the message, rather than as an
attachment. Because we are speaking of Microsoft inventions, security
was not formost in the minds of those who invented it (to say the
least). Those who look after email standards are a different group from
thoe who attend to the Web. Certainly they share many of one anothers'
concerns, but their priorities are different.

The fundamental point is, HTML email is rendered by your browser, not by
your email client. Any vulnerability that may be exploited in your
browser can therefore be exploited using an HTML email. But with a
native browser, you can (to some extent) choose what sites to visit;
with an email, if you open it, then you have effectively asserted that
you trust it, and that its content may do roughly as it wishes to your
browser. Email is insecure - you can't easily tell who really sent or
composed it - so it's safer to set your browser to NOT render email as HTML.

An HTML-formatted email actually (usually) contains two "parts" - an
HTML part and a plain-text part. Your email client chooses the
"best-quality" rendition of which it is capable. If you disable HTML
rendering of email, you can still read the text; you just don't get the
markup.

Note that many spammers send completely different text in the HTML and
text parts - the HTML part will be full of flashy advert graphics, with
blinking, lots of loud colors and ugly typography and so on; the text
part will just say "Get a better mailreader". Or it may have no
text-part at all - which from my point of view is *just peachy*, as I
have no desire whatsoever to read adverts.

Mailing-lists frequently strip the HTML part off, because the operators
know that many of their readers don't allow HTML in email, and to save
bandwidth (by not sending out both the HTML and the text). Note that the
HTML can be many times larger than the text - expecially if the HTML was
composed automatically by certain Microsoft products, which can easily
produce HTML twenty or thirty times as bulky as the text. List-operators
therefore strip HTML partly to protect those who are still on dial-up lines.

I lose very little by ignoring HTML; yours is the first HTML email I
have received in about four years in which important meaning was encoded
as HTML markup. A better strategy (one which works for nearly all
readers) is to use notation *like this* (which comes out emboldened on
many mail clients, or _like this_ (which would come out underlined), or
/like this/ (which would come out italicised). These techniques work
independently of whether HTML rendering of mail is allowed or not. And
even if those notations aren't transformed into their respective
srtyles of emphasis, they still appear in the text as they were typed,
and so can still be used to emphasise parts of the message.

Here endeth the lesson :-)

-- 
Jack.