Do Away With HTML Based E-mail

Discussion in 'other security issues & news' started by ronjor, Jan 17, 2007.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    Brian Krebs
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I posted a comment to Mr. Kreb's blog regarding these statements:

    I wrote that I thought he did the general reader a disservice by leaving it at that.

    The implication is that if something gets by the email client, that your system is compromised.

    That, as everyone knows, does not have to be, with the various solutions available today to protect against that type of attack.

    This is not to excuse the vulnerabilities in the mentioned software, but the subtle implication that the applications at the top (email, browser) should be the bulwark of your defense is just outmoded in today's world of strategic thinking.


    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  3. Ned Slider

    Ned Slider Registered Member

    Joined:
    Mar 24, 2005
    Posts:
    169
    I'm in total agreement with only using plain text emails. Why open yourself up to further vectors and unnecessary risk.

    Nothing new though, the experts have been saying the same thing all along:

    http://isc.sans.org/diary.html?storyid=1551

    I strictly enforce a policy of plain text emails in the organisation for which I work, and cover the reasons why as part of new users basic IT training. If others were not so ignorant, I'd also enforce bouncing of all incoming mail not in plain text format - oh look, spam disappears overnight :D

    People forget that most modern day (GUI-based) email clients are fully fledged HTML browsers (try entering a URL into outlook!) and thus suffer all the same vulnerabilities. I fear, however, all this falls mostly on deaf ears though :rolleyes:
     
    Last edited: Jan 18, 2007
  4. Meltdown

    Meltdown Registered Member

    Joined:
    Sep 17, 2004
    Posts:
    299
    Location:
    Babylon
    Rmus,

    I read your comment.
    If "general reader" means ordinary home user, then the general readers I know couldn't cope with the solutions you put forward. Viewing emails in plain text is something they can easily understand and implement.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I will admit that the general reader may not be aware of solutions, but I don't agree that he can't cope with them.

    This is why Mr. Krebs does a disservice by not suggesting, or linking, if he doesn't want to expand in the current article, to sources that discuss solutions. It's not much to cope with to learn about a security program which will protect behind the email and browser clients.

    What purpose is served by statements like this...

    ...without explaining further that there are easy ways to prevent such exploits for those who use HTML?

    For a nationally syndicated columnist writing on computer security, it's irresponsible journalism, in my opinion. It's good press, of course: has all of the necessary sensationalist ingredients.

    There are a couple of issues here. Some people, by necessity or by choice, use HTML.

    One acquaintance works part-time from his home office. Some clients send HTML formatted emails.

    Another friend and two of her friends enjoy sending each other silly stuff in HTML formatted emails.

    Like it or not, until HTML is somehow banned, it's a tool that many enjoy. Why should they be afraid to use it?

    I'm not saying it's good or bad, that's just the way it is at the moment.

    Everyone of course has the option of not using it, or filtering to a junk box. I and those on my regular mailing list, by choice use text-only messages, but I have a cousin who sends HTML.

    The tactics for dealing with HTML email are very simple to implement.

    1) the email client is configured to open in text-only mode. In Forte-Agent, for example, the HTML message appears with the default browser icon, and the image as an attachment:

    http://www.urs2.net/rsj/computing/imgs/agent-html1.gif
    _____________________________________________________________

    2) Decide whether to open or delete. This is not a difficult decision at all. For the above, either you aren't a Chase client, or you know that Chase doesn't do business that way. Or you should.

    If you recognize it as a legitimate message, then you have the options. If I launch, it opens in the browser and loads the image:

    http://www.urs2.net/rsj/computing/imgs/agent-index.gif
    ______________________________________________________________

    A much more useful article would have been to state the problem, as he does, suggest the tactic of avoiding HTML by using text-only mode, as he does. Then, to allay fears of an exploit by indicating that there are *simple* ways of protecting behind the email and browser clients, should something unexpected happen.

    What a missed opportunity to start the general reader to becoming more involved and knowledgeable about this aspect of computer security!

    In this way, those who use HTML for whatever reason, don't have to be frightened that bad guys out there know how to exploit HTML language.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    I don't believe it is a missed opportunity in total. Any information that can get the wheels turning on the secure use of computer programs and computers is not all wasted.
    The information may seem mundane and routine to users of security forums while casual users may need more information such as you have provided Rich.
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Agreed - not a missed opportunity in total.

    -rich
     
    Last edited: Jan 18, 2007
Loading...
Thread Status:
Not open for further replies.