or Connect
AppleInsider › Forums › Other Discussion › Feedback › There needs to be an option to have notification e-mails sent as plain text
New Posts  All Forums:Forum Nav:

There needs to be an option to have notification e-mails sent as plain text

post #1 of 8
Thread Starter 
HTML e-mails are a potential security and privacy hazard due to hidden or camouflaged URLs, 1-pixel images, scripts, etc.

Some firewalls even have provisions to toss/filter all HTML e-mail, and even iOS has an incomplete safety measure to not display remote images in e-mail, which is designed to stop the most common and most insidious types of privacy invasions prevalent with HTML e-mail (the user-tracking image-as-response-to-database-request-URL).

Any decent, i.e. not shady, operation gives users the option to receive e-mail notifications as plain text.
post #2 of 8
Quote:
Originally Posted by rcfa View Post

HTML e-mails are a potential security and privacy hazard due to hidden or camouflaged URLs, 1-pixel images, scripts, etc.

The page you are posting on is HTML developed by the same people sending you the emails.
Quote:
Originally Posted by rcfa View Post

even iOS has an incomplete safety measure to not display remote images in e-mail, which is designed to stop the most common and most insidious types of privacy invasions prevalent with HTML e-mail (the user-tracking image-as-response-to-database-request-URL).

The main reason for that would be to prevent burning through your mobile data caps, especially abroad. User-tracking with images only lets them know when you opened the email as you have to get the image from their server along with IP and email address. This site already knows your email and IP and more just from being on the site, the emails don't do anything more than that.
Quote:
Originally Posted by rcfa View Post

Any decent, i.e. not shady, operation gives users the option to receive e-mail notifications as plain text.

Not really, it takes extra effort to send both. As you can tell from the many broken parts of the forum, it's more likely something that wasn't a priority.
post #3 of 8
Thread Starter 
Quote:
Originally Posted by Marvin View Post

Quote:
Originally Posted by rcfa View Post

HTML e-mails are a potential security and privacy hazard due to hidden or camouflaged URLs, 1-pixel images, scripts, etc.

The page you are posting on is HTML developed by the same people sending you the emails.

 

So? A web page I intentionally navigate to, so I see where I go to, and where resources loaded are coming from. An e-mail can be spoofed, that's how phishing and spamming works, in case you haven't noticed.

 

Quote:
Originally Posted by Marvin View Post
 
Quote:
Originally Posted by rcfa View Post

even iOS has an incomplete safety measure to not display remote images in e-mail, which is designed to stop the most common and most insidious types of privacy invasions prevalent with HTML e-mail (the user-tracking image-as-response-to-database-request-URL).

The main reason for that would be to prevent burning through your mobile data caps, especially abroad. User-tracking with images only lets them know when you opened the email as you have to get the image from their server along with IP and email address. This site already knows your email and IP and more just from being on the site, the emails don't do anything more than that.
 

 

No, the main reason is that spammers and phishers load up their e-mails with resource URLs that are unique to each and every message they send out. That way they can track which e-mail addresses are active and in particular which users are not careful about their privacy settings and what they click on.

This allows them to purge their e-mail address lists and make them even more valuable and even more targeted.

The ability to prevent an e-mail client automatically loading such images prevents spammers from knowing which messages were actually read/opened in an e-mail client, and which might simply have been delivered to a tarpit/honeypot SMTP server.

 

Quote:
Originally Posted by Marvin View Post
 
Quote:
Originally Posted by rcfa View Post

Any decent, i.e. not shady, operation gives users the option to receive e-mail notifications as plain text.

Not really, it takes extra effort to send both. As you can tell from the many broken parts of the forum, it's more likely something that wasn't a priority.

 

It takes extra effort to create HTML e-mail templates. If the extra effort is an issue, then I'd suggest simply strip away any and all formatting and be done with it.

 

You may have noted that Banks, PayPal, etc. only send plain-text e-mails, exactly to make spoofing more difficult.

 

Given that people who post in this forum have to log in, a spoofed e-mail directing to a spoofed web site, can allow a spammer/phisher to capture a subscriber's AI or even FB password, which in turn with high likelyhood is the same password as the user's e-mail account, bank account, etc. given how lax the average user is with choosing passwords.

 

In other words, spoofing an AI mail could compromise a user's security significantly.

 

Phishing works mostly by social engineering (i.e. using people's behavioral deficiencies) not by actual security holes in software. Therefore, the task of responsible web sites and e-mail senders is to make that as difficult as possible.

post #4 of 8
Quote:
Originally Posted by rcfa View Post

You may have noted that Banks, PayPal, etc. only send plain-text e-mails, exactly to make spoofing more difficult.

I usually see HTML emails with their logos in the corners. This remotely loaded logo is used for Paypal:

http://images.paypal.com/en_US/i/logo/logo_emailheader_113wx46h.gif
Quote:
Originally Posted by rcfa View Post

Given that people who post in this forum have to log in, a spoofed e-mail directing to a spoofed web site, can allow a spammer/phisher to capture a subscriber's AI or even FB password, which in turn with high likelyhood is the same password as the user's e-mail account, bank account, etc. given how lax the average user is with choosing passwords.

In other words, spoofing an AI mail could compromise a user's security significantly.

Sure but they'd have to go to all the trouble of recreating the AI home page, registering a domain that looked like appleinsider.com (which they could write in a plain text email) bulk send to tens of thousands of random email addresses in the hope that some of the 250 or so active users here are in the list and click the link so they can get a password, which may or may not be of any use to them.

The prevention being for AI to offer the option to get plain text emails, which requires the AI users to actually change the preference and the people who are the typical target of social engineering most likely won't change it anyway.

I don't see it being anywhere near the security risk of Paypal's HTML emails.
post #5 of 8
Thread Starter 
Quote:
Originally Posted by Marvin View Post

Quote:
Originally Posted by rcfa View Post

You may have noted that Banks, PayPal, etc. only send plain-text e-mails, exactly to make spoofing more difficult.

I usually see HTML emails with their logos in the corners. This remotely loaded logo is used for Paypal:

http://images.paypal.com/en_US/i/logo/logo_emailheader_113wx46h.gif

 

There are some advertisement e-mails from PayPal that do indeed have HTML formatting. Bad enough.

However, important e-mail, like payment confirmations, money received, etc. are plain-text. At least all that I ever get.

Also, there's a different between MIME e-mail with inline attachments, and HTML e-mail, in that HTML allows a variety of tricks, that aren't possible with MIME e-mail, such as link spoofing. e.g. "<a href="http://www.appleinsider.com.some.fraudulent.site.cn/snatchThePassword.php">http://www.appleinsider.com/</a>"

 

Quote:
Originally Posted by Marvin View Post
 
Quote:
Originally Posted by rcfa View Post

Given that people who post in this forum have to log in, a spoofed e-mail directing to a spoofed web site, can allow a spammer/phisher to capture a subscriber's AI or even FB password, which in turn with high likelyhood is the same password as the user's e-mail account, bank account, etc. given how lax the average user is with choosing passwords.

In other words, spoofing an AI mail could compromise a user's security significantly.

Sure but they'd have to go to all the trouble of recreating the AI home page, registering a domain that looked like appleinsider.com (which they could write in a plain text email) bulk send to tens of thousands of random email addresses in the hope that some of the 250 or so active users here are in the list and click the link so they can get a password, which may or may not be of any use to them.

The prevention being for AI to offer the option to get plain text emails, which requires the AI users to actually change the preference and the people who are the typical target of social engineering most likely won't change it anyway.

I don't see it being anywhere near the security risk of Paypal's HTML emails.

 

No, they don't have to go through that trouble, they just have to recreate the AI login page, and then after they snatch the password, redirect to the regular appleinsider site. They also don't have to register a domain that looks like appleinsider.com, because they can name a host www.appleinsider.com.t.151140.qwetsx.cn and most people won't read past the appleinsider.com part, because we have long stopped using intelligible URLs on the web, so instead of meaningful URL paths we have machine generated gobbledeegook that nobody looks at anymore if the beginning seems about OK, particularly on small screen devices, where the URL field often isn't even long enough to show more than the start of a URL.

 

In a low-wage country, the effort of doing such a phishing attack is minimal; it's not like they have to lick stamps to send out these e-mails to hundreds of thousands of people. It's more than profitable if out of a hundred thousand e-mail sent out, 100 are received by AI readers, and one or two of them enter the password on the wrong page. All these sort of attacks are number games. They don't cost a lot of effort, and it suffices if they strike gold every few attacks. If they phish five sites like AI, and they clean out one person's bank account as a result, it's well worth the effort for them.

 

Prevention would also, at least ideally, be that people have to OPT IN to HTML e-mail, not opt out of it. But at the very least should those people who are security minded and don't want to click in an unsuspecting moment at 3am after an 18h day, on the wrong link because they lapsed momentarily in attention.

 

The reason why phishers and spammers succeed is exactly because preventive measures are always only taken AFTER the disaster strikes, because people like you always talk down the risks.

 

I hope that AI at least stores the passwords to this site a tad more securely than LinkedIn did...

...because these guys obviously also thought that their site wouldn't be a security risk, or else they wouldn't have been this lax:

http://www.tomshardware.com/news/LinkedIn-Password-Breach-hack-eharmony,15963.html

 

But if you don't believe me, simply Google: "html email security risk"


Edited by rcfa - 7/7/12 at 8:32am
post #6 of 8
That all hinges on users not staying logged in at all times.

Like me. If I ever have to type my password, I'd know something is going wrong.

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply
post #7 of 8
Thread Starter 
Quote:
Originally Posted by Tallest Skil View Post

That all hinges on users not staying logged in at all times.

Like me. If I ever have to type my password, I'd know something is going wrong.

 


Remaining logged in means that you never clean out your cookies. While that might be convenient, it has a lot of other privacy implications.

People who regularly clean out their cookies or have a cookie cleaner software or use private browsing will often have to enter passwords.

post #8 of 8
Quote:
Originally Posted by rcfa 
Prevention would also, at least ideally, be that people have to OPT IN to HTML e-mail, not opt out of it. But at the very least should those people who are security minded and don't want to click in an unsuspecting moment at 3am after an 18h day, on the wrong link because they lapsed momentarily in attention.

The reason why phishers and spammers succeed is exactly because preventive measures are always only taken AFTER the disaster strikes, because people like you always talk down the risks.

Your suggestion doesn't prevent an attack though. The scammers are the ones sending out the HTML email so regardless of what your AI settings are, you will get an HTML email. Even if you were sure you chose to receive plain text emails, after this 18 hour day at 3am, that HTML email is not going to look out of place.

You can always read all your email in a plain text email client.
Quote:
Originally Posted by rcfa 
I hope that AI at least stores the passwords to this site a tad more securely than LinkedIn did...

But if you don't believe me, simply Google: "html email security risk"

I hope that AI's users aren't using the same password for their account that they use for Paypal and banking, that's the real risk. A site sending its own users HTML email poses no risk, which is why Paypal, Amazon, Apple and many others do it. What they shouldn't do is expect you to click links in the email for you to subsequently log in.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Feedback
AppleInsider › Forums › Other Discussion › Feedback › There needs to be an option to have notification e-mails sent as plain text