×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New E-Mail Vulnerability - Trust Your Neighbor?

timothy posted more than 13 years ago | from the never-trust-anyone-over-30-inches dept.

Privacy 186

Anonymous Coward writes: "According to this article in The New York Times (free registration required), a trick enables someone to essentially bug an e-mail message so that the spy would be privy to any comments that a recipient might add as the message is forwarded to others or sent back and forth. The vulnerability could facilitate the harvesting of e-mail addresses. Widely used e-mail programs that are vulnerable to the exploit (because they enable JavaScript) include Microsoft Outlook, Outlook Express and Netscape 6." A snippet from the article: "The potential for such e-mail spying was first discovered by Carl Voth, an engineer in British Columbia. 'What bothers me is that in this case, my vulnerability is a function of what you do,' Mr. Voth said. 'I can be careful, I can take every precaution, I can turn off JavaScript, and it doesn't matter. If my neighbor isn't diligent and I send him an e-mail, I'm still vulnerable.'" "The Privacy Foundation, an educational and research organization based in Denver, plans to publicize and demonstrate the technique today."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

186 comments

Wrong! (3)

www.sorehands.com (142825) | more than 13 years ago | (#456623)

SPAMMERS have been using html in emails. They setup an cgi script to pick up an email address from the message. That part of the caller passes the sent email to a script back on the server through an image call.

It's a way to confirm the reading of a message.

javascript is not needed, html will do (1)

washirv (130045) | more than 13 years ago | (#456627)

so long as the email calls back to the server (for a 1 pixel gif, for instance) this exploit will always exist. The trick is to turn off html altogether, and just read text email. Better still, use a "backward" email reader that can read only text. :-)

Re:Minor Nitpick (2)

roca (43122) | more than 13 years ago | (#456629)

That's a rather tough assessment of Javascript. It certainly has its flaws, but on the other hand, it has made a lot of interactive Web-based applications possible that wouldn't have been doable otherwise.

Javascript has been standardised by ECMA for some time. There have been many security issues, but it's not clear that alternative technologies for doing the same things would have been safer.

Security models? (5)

gattaca (27954) | more than 13 years ago | (#456632)

Surely the problem is not with HTML or Javascript in emails at all - its more to do with the fact that email browsers have a poor (if any) security model.

One of the good things about client-side Java (rather than Javascript) is that it runs in a sandbox with a well defined security model that doesn't allow, for instance, content to be uploaded from the client machine unless you specifically say that that's OK by jumping through various hoops.

The post refers to two problems: firstly, Javascript making a connection from a client machine when the client user doesn't want that to happen, and secondly, mailreaders allow modifications (such as adding content) to an HTML document, but do not distinguishing between the original copy and the modified one. (By warning of embedded Javascript, or content stripping, or whatever).

The problem is more to do with client browsers having a crap security model rather than the idea of having HTML or Javascript in an email in itself.
I guess that most people who read or post to slashdot are happy with being able to use markups in their posts so they can italicise or embolden things or add links. HTML in text is a Good Thing here, are emails that different?

Active content is another step along the way, but I can't see that it is a Bad Thing, if the security model is good. I don't know enough about Javascript to comment about whether this is possible. Any comments?

Re:Another reason to stick to the RFC (2)

boing boing (182014) | more than 13 years ago | (#456633)

I do believe that I agree with you that everyone should stick to non-HTML mail, but one HTML capability should be in all mail forms, and that is HTML links. I can't tell you how many relatives that I have that couldn't possibly figure out how to copy and paste something into their browser. Links are a necessity, but lets get rid of javascript and images right now.

Re:Minor Nitpick (2)

roca (43122) | more than 13 years ago | (#456636)

The DOM APIs are not "totally nonstandardized". In fact they have been standardized by the W3C. The APIs supported by Mozilla/Netscape6 are basicallly just a little less and a little more than W3C DOM2. Konqueror is catching up fast. Opera is lagging behind a bit but is basically on the same path.

Only Microsoft, and WinIE in particular, are deliberately avoiding proper support for the standard DOM. But the subset of the W3C DOM that works in IE 5.5 is actually quite large and very useful.

Re:No free reg (1)

Karoshi (241344) | more than 13 years ago | (#456638)

Use as user/pass combination a/a (or was aaaaa/aaaaa for sites that require longer pwds), that works for most sites.

Simple Fix: Edit sendmail.cf... (3)

BigBlockMopar (191202) | more than 13 years ago | (#456639)


Here's a simple fix. Edit sendmail.cf.

Make a filter:

Any e-mail that comes to you with X-Mailer: Microsoft Outlook Express 5.50.4133.2400 or similar in the headers, gets relayed to /dev/null.

Soon, the Windows proles will realize that sending to you is fruitless and will eventually go away.

Okay, fine, it's not practical, but it would still be fun to do.

Or, you could use Outlook's many vulnerabilities to break into your boss's computer and change his Windows startup tune to this [216.138.194.68] in order to prove the point.

He doesn't use Outcast any more. I consider that to be a victory.

Re:Enable Javascript for Mail and News (1)

Evil Grinn (223934) | more than 13 years ago | (#456640)

They are aware that you can turn off javascript, but what if the person you forward your mail to hasn't turned off javascript?

My question is, why in the world would does the browser have it turned on by default? The end-user should have to go out of his way to enable JavaScript in email, not the other way around.
---

Re:Just don't use HTML Mail! (1)

Korth (50341) | more than 13 years ago | (#456641)

Oooh! That's a great idea. Lets go back to the glorious days of ASCII art, fixed width fonts, before the days you could use hyperlinks, or maybe back to the wonderful ASCII tables.

Although a great deal of the HTML features are utterly useless in a E-mail (e.g. scripting languages and JavaScript), sometimes the benifits of HTML mail are important.

Javascript =! Email (1)

Rotten (8785) | more than 13 years ago | (#456643)

That's all.
If I send the key for my front door in a transparent envelope, my doorlock is safe, the problem is my stupidity.

we're always at the mercy of neighbours (2)

CarrotLord (161788) | more than 13 years ago | (#456644)

no matter if everyone used pine for email, we would still be vulnerable to our friends' email stupidity -- for eg, I often get forwarded chain letters from friends who include my address along with the "CC this email to spammer@spamcity.com to win your prize" address... the biggest bugs in out email systems are people...

rr

Another reason to stick to the RFC (3)

Masem (1171) | more than 13 years ago | (#456645)

A few weeks back we had a discussion here about a new email client for Linux that was 'compatible' with LookOut, including support for HTML email. I posted a small rant on why that's not a feature, but a bug, and a few called me a ludite.

*THIS* type of vunerability is exactly one of the reasons that you should not be using HTML for email, particular with the email clients that use an embedded browser window to display the information. Because not only do you as a malicious email sender gain access to the bugs that arise from the email client itself (eg the ability to email everyone in the address book from a script), but bugs inherit from the browser.

The email RFC says to stick to plain text for all messages, and if you do that, the only bugs that you will encounter will be those that are from the mailers, and it will be very hard to trigger security problems such as this. You might complain about losing formatting and such, but that's also why the Rich Text format was developed; it carries enough of the HTML formatting that some need to emphasis email but none of the deadweight that can trigger security and privacy violations. Unfortunately, RTF wasn't highly accepted and after MS did a nice 'embrace and extend' of it, it was pretty much worthless.

Enable Javascript for Mail and News (3)

Phaid (938) | more than 13 years ago | (#456646)

There's an option in Netscape to specifically turn off Javascript support for mail and news - under the Preferences->Advanced tab.

I've been using that as long as I can remember, mainly to prevent Usenet spam posts from launching browser windows and such. I guess now there's an even better reason for it.

Of course, for mail I use pine and tkrat in console and X respectively, so I dont really care much about this.

Re:That's Why..... (2)

dattaway (3088) | more than 13 years ago | (#456647)

You live in a dull grey world.

I enjoy the soft glow of phosphorescent dots building the font's character.

I suspect you'd be happy in pre-reform Russia, where there was none of that annoying advertising or any bright colors on the street.

I suspect you live in Redmond, where Bill and his partners would never advertise you with any bright colors or loud music.

The Linux command prompt is a hairshirt of denial.

Whatever cranks your tractor.

Re:Minor Nitpick (2)

roca (43122) | more than 13 years ago | (#456652)

It was the marketers. The engineers originally called it Livescript but the marketers wanted to capitalize on the Java hype.

That's Why..... (1)

matth (22742) | more than 13 years ago | (#456658)

That's why I use PINE =) I seem to be un-touched by e-mail viruses, and other stuff heheheh

Security (2)

mheckaman (149644) | more than 13 years ago | (#456665)

That is the unfortunate truth to security; things are only as secure as the weakest link. I would argue that until the current state of email clients, usages, and so forth changes; we should have zero expectation of privacy in email. I would love to think [P]GP[G] will change the world in email privacy, but I suspect that Joe User will just get their key stolen through a javascript hole in their web browser (AKA mail client).

Matt

Re:AOL not affected? (2)

Keel (11611) | more than 13 years ago | (#456667)

AOL's email client is not OE. It has inferior capabilities. Although many in this discussion apparently think that is a good thing.

Re:That's Why..... (3)

DeadSea (69598) | more than 13 years ago | (#456668)

Hotmail is said to not be vulnerable. I belive that hotmail (and many other web based email providers) strip out all but some allowed subset of html (sort of like slashdots allowed html in comments.) I use Eudora and when I send a forwarded message it asks me if I want to send it plain or styled. I always select plain.

I believe that any email that passes through webmail, or has html stripped by some email program like Eudora will be innoculated.

Add this to the list of things that web mail programs will have to check for though....

Re:Active vs passive content in emails (1)

EllisDees (268037) | more than 13 years ago | (#456669)

Whilst technically you can convey whatever information you want through the use of plain text (maybe using some *emphasis*) and attachments, for many this is a solution which is less convenient for them - it requires more clicks or keypresses to access, and doesn't present the information in quite such an integrated manner.
How does it require more clicks to send a simple text message than to send some nasty html-formatted mess? All you have to do is start typing!

Re:Turn Off JavaScript (1)

Anonymous Coward | more than 13 years ago | (#456670)

Disableing javascript on your own system won't necessarily help. If you forward a bugged message to someone that has javascript turned on in their email client, you're still hosed.

Re:"I can be careful, I'm still vulnerable." (1)

xjimhb (234034) | more than 13 years ago | (#456671)

But ... but ... but ... If I didn't have HTML e-mail capabilities, how could I subscribe to critical information ... like the daily "Foxtrot" which our local paper only carries on Sunday???? I mean, some things are IMPORTANT!

By the way, they mention Netscape Messenger 6 - are the older versions of Netscape (4.7x) immune? They do have the "Javascript on E-mail" switch, so one would assume thet do something with it.

Re:That's Why..... (1)

MackE (97937) | more than 13 years ago | (#456672)

Probably the best prevention is for the virus scan folks to build in a check for javascript in e-mail. Of course not everyone has a virus scanner on their machine that checks inbound e-mail, but I'll bet on that over getting everyone to turn off javascript in their reader. :)

This much has always been true... (2)

somethingwicked (260651) | more than 13 years ago | (#456687)

If my neighbor isn't diligent and I send him an e-mail, I'm still vulnerable.

This much has always been true in ANY private communication. The point of failure will always be what steps the recipient takes/doesn't take to protect that information. In order to communicate with another humna being, this risk is inherent.

Singing "Paranoia may destroy yaaa..."

Re:Security (1)

somethingwicked (260651) | more than 13 years ago | (#456688)

I suspect that Joe User will just get their key stolen through a javascript hole in their web browser

Joe User will leave his password and key and everything else you need on a post-it note stuck to his monitor

Solution (1)

Captain_Frisk (248297) | more than 13 years ago | (#456689)

I can be careful, I can take every precaution, I can turn off JavaScript, and it doesn't matter. If my neighbor isn't diligent and I send him an e-mail, I'm still vulnerable

For the extra paranoid, the solution here is not to forward the mail, but rather just copy and paste the text of the message into another message. This way the JavaScript doesn't get sent along with it.

If you were feeling especially feisty, I bet you could write some manner of filter that automatically strips the tags out of an email, preventing the scripts to operate on your machine, and preventing them from operating on other systems if you forward the message.

Besides, why would anyone here be forwarding email from someone who would do this?

Captain_Frisk

Dancing Babies and other Trojan Horses... (2)

SnapShot (171582) | more than 13 years ago | (#456690)

You don't need some technological trick to harvest emails. Just up a web page with an inane joke, animated gif, etc. and include a button that says, "Email to a Friend!". Voila! You've just harvested the email addresses of everyone who received an email from anyone who though the web page was even faintly amusing.

The only defence, until people start treating other peoples emails with more respect, is to keep two accounts. I personally only give out my work address, except to close and technically aware friends, at least then I get paid to read spam...

I've tried this also... (1)

Nerftoe (74385) | more than 13 years ago | (#456691)

it's compltely impossible to delete Outlook Express...

I've tried this also when I switched to Eudora.

Have you ever looked at your swap file and wondered what the heck was in it? Outlook Express AND Internet Explorer are always cached inside your swap file! Upon bootup, your Windows system looks to see if any essential programs are missing, and replaces them. :-)

Seriously though, those files have to come from somewhere.

Active Content Has Its Uses (2)

amnesty (69314) | more than 13 years ago | (#456692)

I think that HTML has its place in the email world, whether we like it or not. At work our help desk has to respond to emails from other internal departments where they are having trouble with something. And anyone who's tried to help out a friend who doesn't know too much about computers should realize that its incredibly hard to use the phone or even a text email to convey how to do things.

Even the syntax Start -> Settings -> Control Panel -> Display Properties confuses most of them. So the solution that works is to put screenshots to illustrate how to do it. There really isn't any more elegant way short of physically finding the caller and working at his/her desk.

So agreed, we open up the security can of worms when we allow HTML. Perhaps there are solutions... non-HTML ways? Or only allowing internal email html to access resources (images) on the internal network? But many workplaces have important uses for the extra features with HTML, so instead of choosing the easy way out, (abolish HTML) perhaps we can find a better solution, if only out of necessity.


Re:Another reason to stick to the RFC (1)

swb (14022) | more than 13 years ago | (#456693)

I agree with the idea that, generally speaking, email should be plain text with formatting only existing in terms of the usual text formatting technqiues, such as newlines, *emphasis* and so on,

There's a lot of people that want formatting -- is there a way to accomplish it without using HTML? The problem with HTML seems to me is that once you use HTML, people expect it to act like a browser rather than be a pure formatting. The other problem is the one you highlight, that developers (MS, mainly, but I'm sure others might fall victim) will re-use web display engines which open up the vulnerabilities.

Is there another formatting "language" which could get applied without going down the HTML path? I supposed not for MS products, since anything that had any kind of cross-platform compatibility would be embraced and extended into insecurity by MS.

Possible solution (2)

JCCyC (179760) | more than 13 years ago | (#456710)

Sneakemail [sneakemail.com]. Although you'll have to obliterate every email address you currently use, establish a new one and never ever EVER give it to anyone. You only give away aliases created by Sneakemail. The moment one of them is used to send you spam, you delete it.

I'm seriously plan to start using it Real Soon Now(TM), but getting rid of the current ones (and redoing all the subscriptions etc etc) will be a PITA. Yeah, I'm lazy. Sue me.

Re:Another reason to stick to the RFC (1)

david.given (6740) | more than 13 years ago | (#456712)

*THIS* type of vunerability is exactly one of the reasons that you should not be using HTML for email, particular with the email clients that use an embedded browser window to display the information. Because not only do you as a malicious email sender gain access to the bugs that arise from the email client itself (eg the ability to email everyone in the address book from a script), but bugs inherit from the browser.

I'm currently in the process of writing a mailer. (http://sqmail.sourceforge.net, if anyone's interested.) I'm including HTML rendering, because we use it at work, but I am determinedly *not* implementing Java, Javascript, image fetching, or indeed any kind of implicit networking by the HTML document.

I'm thinking about allowing cid: URLs to access images sent in the mail message itself, but can't seem to find any reference for these. It may be an Outlookism.

Oh, yes, and the mailer has no ability whatsoever to generate HTML messages. Plain text only.

The simple solution is... (1)

digidave (259925) | more than 13 years ago | (#456714)

Never forward messages. The 'evil' JavaScript isn't going to be in an email from your boss asking you to send him some report, is it? Quit forwarding those damn jokes and chain mails and get your lazy ass back to work. As someone who never forwards anything unsolicited to anybody, I don't see how this affects me and, quite honestly, I'm a little shocked that so much of the /. crowd does forward stuff. Aren't you guys just poliferating this shit?

It just occured to me that I can probably remove the 'Forward' button in Outlook (I love MS's cool modifiable toolbars). I'm going to go take that sucker out right now :P

Re:Wrong! RTFA! (2)

Jerf (17166) | more than 13 years ago | (#456715)

Last month, I received an email out of the blue from Carl Voth, of British Columbia. Expanding on my research, Carl had discovered an interesting "feature" in certain popular brands of email readers. Using a little bit of JavaScript code embedded in an email message, he found that not only could the sender of a message be notified when an email is opened, but the sender could capture the text of messages when the email is forwarded.

Who labelled the parent of this message insightful? RTFA!

Re:Another reason to stick to the RFC (1)

Cire (96846) | more than 13 years ago | (#456716)

The email RFC says to stick to plain text for all messages


That's all well and good, but let's face it: Most people want colored email. They want to be able to change the font size of their emails, and have bold and underline and italic. All things you can not do with plain text.

You can quote RFC's till the cows come home, but people still want red text.

What we really need is a program that will let you turn off javascript for emails while leaving it on for browsers

Easy fix... (2)

thechink (182419) | more than 13 years ago | (#456717)

I use Outlook Express (flame me later), I have disabled all scripting AND only reply or forward in plain text (OE can be setup to do this by default). This way there is no forwarding of any scripts. I'm sure Outlook can be configured the same.

WONT WORK: Re:UNcheck "Enable Javascript for Mail (1)

Seinfeld (243496) | more than 13 years ago | (#456718)

That will only work for e-mail YOU send. The JavaScript code will still be in the message, and when Joe Recipient gets the message, he won't have JavaScript turned off, so his reply/forward will be sent to the person who bugged the e-mail -- and if your message is quoted in the reply/forward, yours is sent too. So unless you can guarantee that every recipient of the message has JavaScript turned off, and everyone they send it too has it turned off, and so on, your privacy is at risk. It's like the reverse of a spread of a disease. Anyone downstream can affect the upstream people.
-----------

Re:Reversed Use (1)

Steeltoe (98226) | more than 13 years ago | (#456719)

"... Instead of freaking out over every exploit that pops up and scrambling to get patches, I wonder why people don't use it as an opportunity to their own benefit for the greater good."

It's because it won't solve any problem. The spammers will switch to a more RFC-compliant email reader or turn off JS.

On another note, aggressive action has never fixed any problems in this world. You can shoot and imprison people, but it won't fix the root problem.

- Steeltoe

Re:Another reason to stick to the RFC (1)

ethereal (13958) | more than 13 years ago | (#456720)

That's amazing, because I'm not sure that I've ever communicated with anyone who was able to actually use different fonts, colors, etc. to make a real difference in their emails. I have never received an email where the extra formatting made me think "wow, this is so much better than just plain text". Most of the time I think "damn the sender to Hell for making me squint at their tiny fonts!". Has anyone ever seen a worthwhile HTML email? Don't even get me started on the people who email you a whole web page rather than just sending you a link to it...

I would be thrilled to have an option in Netscape to format incoming HTML-ized email as plain text, removing all tags and replacing paragraph tags with newlines, etc. To never look upon HTML email again would be a blessing indeed.

If you _have_ to forward jokes... (1)

yerricde (125198) | more than 13 years ago | (#456722)

Quit forwarding those damn jokes and chain mails and get your lazy ass back to work.

If you feel you need to forward that joke, feel free to write it up on Everything [everything2.com] and forward the URL. Takes up a lot less bandwidth that way, and sending it as plain text excludes the possibility of malicious EcmaScripts.


Like Tetris? Like drugs? Ever try combining them? [pineight.com]

Re:Our organization (1)

ethereal (13958) | more than 13 years ago | (#456723)

What's a malay? I mean, other than a resident of Malaysia? Were you both aiming for "malaise", or what? Not that "malaise" would make any sense either...

Re:Enable Javascript for Mail and News (2)

iceT (68610) | more than 13 years ago | (#456738)

That is true, but as soon as you give your email address to ANYONE, you're at the identical risk you are pointing out. Ever been to Bluemountain.com, or hallmark.com? Someone you know decides to send you a 'free' card, and voila, your email is compromised.

There are certain risks with your information, and as soon as you give that information to ANYONE, you are subject to their sensiblities.

An email address that no one knows is nothing...

Delete the Javascript in your reply (2)

scruffy (29773) | more than 13 years ago | (#456739)

I can be careful, I can take every precaution, I can turn off JavaScript, and it doesn't matter. If my neighbor isn't diligent and I send him an e-mail, I'm still vulnerable.
I don't quite understand this comment. Can't you protect yourself by just deleting the Javascript in your reply? Is this nontrivial to do in these HTML mail programs?

Your neighbor could, of course, copy your message into another message with the Javascript.

dip in NY Times tech reporting? (1)

barryi (216032) | more than 13 years ago | (#456741)

I'm used to a more informed persective from the Times. The reporter (Harmon) was writing from a newbie-ish "everyone reads email using a web browser or Outlook in Windows" sort of perspective. "Right-click on the message body" and instructions about the resulting "view source" menu option is even suggested with no mention of software or OS, at best confusing poor Macintosh users. Weird. No mention of the real story, how new risks are created by ill-considered fancy features. No mention of how many in the know deal with this (I've never had Mutt run Javascript yet...)

I've seen omissions / lacks of understanding of this scale and greater in the past few months in Times articles. Why is the newspaper of record getting worse in its technology reporting?

Re:Another reason to stick to the RFC (1)

thimo (36102) | more than 13 years ago | (#456742)

Here, here... What a lot of people seem to be missing is that this "thing" is not a bug, not even an vulnerability, it's a *feature*, standard HTML/webpage behaviour. Stop using HTML in your mail! I don't want it, you don't want it either!!! Educate people on why they shouldn't want it and why they don't need fancy make-up in email and what overdoing fancy stuff can lead up to.

Now, stick to not sending HTML to college's/friends and how could this vulnerability live on? The JavaScript bug comes from a third party, contained in the HTML. Don't forward the original HTML and the bug stops. Period! New message? No bug! Simple. No HTML.

Cheers,

Thimo
--

Re:That's Why..... (1)

NonSequor (230139) | more than 13 years ago | (#456743)

Yeah, but wouldn't it overflow some buggy version of Sendmail first?


"Homo sum: humani nil a me alienum puto"
(I am a man: nothing human is alien to me)

Re:Minor Nitpick (1)

NonSequor (230139) | more than 13 years ago | (#456744)

As I remember, Javascript was originally to be called LiveScript or some such nonsense.


"Homo sum: humani nil a me alienum puto"
(I am a man: nothing human is alien to me)

Minor Nitpick (4)

Carnage4Life (106069) | more than 13 years ago | (#456745)

But you're only safe if everyone else uses Pine, and everything they know uses, etc. Just need one java-enabled mail program in the link and everything's compromised

Javascript isn't Java, they aren't even related in any way. Java is the architecture-neutral, object-oriented, portable, distributed, robust and secure programming language created by Sun Microsystems that can be used to create applets or standalone applications. Javascript is a scripting language originally designed for embedding in browsers which was created by Netscape in a braindead attempt to win the browser wars which instead fragmented the HTML and brought major insecurity to the web.

Finally I doubt that any email clients are actually Java enabled (i.e. can launch applets, etc).

Grabel's Law

Re:Minor Nitpick (2)

Fnkmaster (89084) | more than 13 years ago | (#456746)

And why we continue to use this mistaken nomenclature is beyond me. The associations are common but the technologies are only superficially related. Javascript has a heinous, disorganized API, is weakly typed, etc. ECMAScript is a standardization of the base Javascript API and syntax. Javascript embedded in the browser lets you access the in-browser document via some level of DOM-alike API (although these are totally nonstandardized, as we all know - this is generally known by the also-misused nomenclature DHTML, which just means using CSS and layer-type things with Javascript as the active event control structure.

Java may be used in the applet framework, and that may have been part of the early vision of Java but that's now just a sideline to server-side Java, where the ability to build large scale apps without the syntactic complexity of C++ lets you push out business logic with fewer worries about internals.

In general though, the languages are often perceived as a combination of syntax, general usage characteristics, and standardized/available APIs. Java is incredibly different from JavaScript in all of these ways, and the association with "the web" is an artifact of one particular use of Java.

Re:Another reason to stick to the RFC (1)

BlowCat (216402) | more than 13 years ago | (#456747)

Make sure that your browser warns the user about embedded javascript and any external references (images, applets etc). It's better if you know about the malicious intent of your correspondent.

Please make sure that not only the messages written in your client don't have any HTML tags, but also that all the messages quoted or forwarded by your client are free of them.

Bye Bye trade secrets! (was Re: Active vs passive) (1)

Bloody Peasant (12708) | more than 13 years ago | (#456748)

: ...And in the business world the phrase "time equals money"
: has been given the status of a law...

If that's the case, then the business world should be one of the first communities demanding that javascript be stripped from all e-mail clients. Can you spell trade secret, as in leakage thereof, and the losses likely encurred as a result?

Re:Another reason to stick to the RFC (2)

Greyfox (87712) | more than 13 years ago | (#456749)

I can't think of any reasonable use of HTML in E-Mail. If you want someone to look at your HTML, send him your fucking URL already.

Perhaps all us text based mail people should start enclosing our mails in HTML flash tags...

Re:Minor Nitpick (1)

Anonymous Coward | more than 13 years ago | (#456750)

The creator [netscape.com] of javascript, and he's proud of his job!

Re:That's Why..... (1)

Yoshi Have Big Tail (312184) | more than 13 years ago | (#456751)

Oh well.

But you might as well say that as you won't leave your house, you're untouched by street crime.

While it's true, you're missing out on a lot. Personally I prefer to live life to the full.

Email tracking (2)

delmoi (26744) | more than 13 years ago | (#456755)

forward this message to all your frends! Microsoft corp is going is conducting a test of email tracking software, will pay you $2500 for every message you forward. Intel, AOL, ICQ, and Disney corp are also somehow involved!

Heh, this I find interesting. I remember swareing up and down that getting a virus through email was imposible once, to.

So, does this means..... (5)

carlos_benj (140796) | more than 13 years ago | (#456757)

...that Bill Gates can track how many people I forwarded that email to now? Gosh! I'm sure my check must be in the mail already.

AOL not affected? (1)

leviramsey (248057) | more than 13 years ago | (#456760)

I thought that AOL's email client was a port of OE. If that's so, then why is AOL immune to this security hole (a possible first)?

Re:That's Why..... (3)

nomadic (141991) | more than 13 years ago | (#456761)

But you're only safe if everyone else uses Pine, and everything they know uses, etc. Just need one java-enabled mail program in the link and everything's compromised.
--

Re:Active Content Has Its Uses (1)

Stonehand (71085) | more than 13 years ago | (#456766)

You could put up a separate web page, and put the URL (in plain text) in the message, if for some reason they NEED the HTML version. Surely a bit of cut-and-paste won't kill 'em. Then ask them to mail you back when they don't need the page anymore, unless you're planning to keep it online in case it's an FAQ.

Or, since your org probably has a printer, keep some .ps / .pdf files around and direct the users to them. They can easily obtain a nicely formatted copy, which could be put in a binder, tray of fliers, or what not...

Re:Active vs passive content in emails (1)

irksome (106742) | more than 13 years ago | (#456767)

Most users who send HTML e-mail have no idea that they're sending the HTML. They don't have to type out all the code, they just use their favorite mail program, which adds the HTML tags on it's own.

-

Java isn't Javascript (4)

Carnage4Life (106069) | more than 13 years ago | (#456768)

All I have to say is that if you think Java is insecure

Java is rather secure as can be seen by reading any of the numerous [securingjava.com] articles [securingjava.com] on the web about it [uct.ac.za]. Javascript on the other hand is a disaster which was foisted on us by Netscape and excarberated by Microsoft.

PS: You do realize that the NY Times article [nytimes.com] is discussing a Javascript exploit and not a Java one, right?

Grabel's Law

Re:Minor Nitpick (2)

joto (134244) | more than 13 years ago | (#456769)

Javascript isn't Java, they aren't even related in any way. Yes, they are. Both contains the word Java in their name (with the possible exception of ECMAScript). Both are associated with the web. Both can be run on the client side. Their syntax looks somewhat superficially similar.

But of course, these are about the only similarites involved. Not too surprising, that is enough to confuse most people.

I hate netscape engineers (or was it marketers) for coming up with the name javascript, if they had called it anything else, most people wouldn't have this problem.

Re:Another reason to stick to the RFC (2)

MikeTheYak (123496) | more than 13 years ago | (#456770)

Maybe because you don't have your own web site? What I don't get is why HTML mail can't simply be sandboxed - no scripting, no initiation of HTTP requests, etc. There's no reason I can think of that HTML couldn't be used for text formatting.

Failure of non-HTML text formatting... (2)

singularity (2031) | more than 13 years ago | (#456771)

Eudora used to include the ability to generate formatted, but non-HTML, text. It included everything you mention, and did not include any networking-specific code. It failed (no one else started to use it, so it was Eudora-specific, and HTML mail became all the rage). It would be a great idea of someone would write up a subset of HTML as an RFC that could be used simply for text formatting (STRONG, BLOCKQUOTE, etc. - maybe even TABLE) for email use (and I would image there are many other uses, as well).

Text/enriched seems to cover this (RFC 1896), but that is Eudora's failed attempt.

I would look for most mailers to move to where they get rid of image-fetching and JavaScript.

Filter out "script" tags. (1)

biftek (145375) | more than 13 years ago | (#456772)

Perhaps we should all set up a filter to look for script tags in messages and tag them so they can be dealt with? Would be a wise move IMO.

Re:Another reason to stick to the RFC (2)

Ed Avis (5917) | more than 13 years ago | (#456773)

It's a reason not to implement JavaScript or other scripting languages; it's a reason not to automatically fetch from the Web images and other objects embedded in messages. It's a reason not to do anything network-based just because of what you've received from an untrusted sender.

But to blame this on HTML is mistaken. HTML is just a language allowing you to mark up paragraphs, headings, lists and so on. The problem comes from those who are implementing HTML readers and making them automatically execute fragments of code and automatically download images which are linked to.

Re:Failure of non-HTML text formatting... (2)

roca (43122) | more than 13 years ago | (#456774)

There is XHTML Basic, which is a little subset of XHTML suitable for text messaging. I haven't checked to see if it includes inline images or scripting.

Re:Active Content Has Its Uses (2)

Alien54 (180860) | more than 13 years ago | (#456775)

I think that HTML has its place in the email world, whether we like it or not. At work our help desk has to respond to emails from other internal departments where they are having trouble with something. And anyone who's tried to help out a friend who doesn't know too much about computers should realize that its incredibly hard to use the phone or even a text email to convey how to do things.

The uses I can think of are SPAM - and teenage entertainment.

As far as advertising goes, it would be better so send a person to the legitimate company webpage. Then we can contact the service provider, and get their account cancelled.

As far as teenage entertainment, I suppose there is no accounting for tastes, and I can tolerate occasional emails with fluttering hearts and excessive cuteness from my little sister. (it's family after all)

In a business context, there is a need to get sales types more clued in. I have heard more war stories of sales types getting sent full fize presentation files as attachments in email while on the road on a flaky dial-up, never mind the clients that receive a flash website in their email. There has to be a better solution for that kind of stuff.

Re:Security breach scoreboard... (1)

Nickoty (313029) | more than 13 years ago | (#456776)

This demonstrates something common when Linux-people complain about MS.. Spending hours (days!!) setting up X & co is ok, but even going thru the menus in IE5 is 'too much work' for some strange reason. An actual linux-zealot I know complained about the silly 'Go!'-button right of the URL field in IE, and about the fact that IE doesn't do 'autocompletion' of URLs as you type them, and that the smooth scroll is silly, and that those 'friendly error messages' are stupid. All of these are just checkboxes in the configuration. Wierd!

Re:Another reason to stick to the RFC (3)

roca (43122) | more than 13 years ago | (#456777)

The RFCs do NOT say to "stick to plain text for all messages". There are a number of MIME RFCs that are explicitly designed to make it possible to send anything you want in email.

HTML email may or may not be a good idea, but don't try invoking the RFCs to stamp it out, because they're not on your side.

Re:That's Why..... (2)

larien (5608) | more than 13 years ago | (#456778)

Bzzzt! There was a buffer overflow in pine a while back which was potentially exploitable. In short, you could send a message with a sufficiently long Subject: line and overflow an unchecked buffer.

In true open source style, the bug was fixed pretty quickly and recent versions are, AFAIK, safe.
--

Re:That's Why..... (2)

iapetus (24050) | more than 13 years ago | (#456779)

I tend to find PINE preferable to most graphical e-mail clients anyway, of course. It's fast and easy to use, I can access it from anywhere, and it isn't prone to all these nasty e-mail viruses. And if I want to view that ugly 'enhanced' content that only spammers seem to send, a tap of the return key loads it into Lynx. :^)

Too bizarre, also almost too unbelievable. (1)

dave-fu (86011) | more than 13 years ago | (#456780)

I wasn't aware that JavaScript had any object model to interact with outside of its context as a web page or what have you, which is to say: using JS, I can't detect when the back/next button is clicked and use it to trigger an event.
Apparently (according to the "Privacy Foundation"'s website [privacyfoundation.org], it piggybacks onto the base functionality that some clients provide that notify you when someone has read your message, and add in text to the payload when someone forwards (responds?) to the message.
They also claim that this has been in the wild since '98 at least, despite no big hubub over it? Fishy, fishy, fishy. I'm waiting to see the 'sploit code to buy it myself.

Our organization (2)

AntiPasto (168263) | more than 13 years ago | (#456781)

relies heavility on Pine on BSD....... is it safe to say we're pretty resilient to any kind of email malay?

----

"I can be careful, I'm still vulnerable." (4)

MoNickels (1700) | more than 13 years ago | (#456782)

Another reason HTML email is bad, besides: wasted bandwith and storage space, slow loading times, cruddy appearance in text interfaces, interference of ads in personal messages, tracking users' habits by matching email address to cookie, bad cross-platform compatibility, necessity of being connected to view it as intended, being filtered or bounced by no-HTML mail lists, etc., etc. It's not really that much of a surprise.

Active vs passive content in emails (3)

sharkticon (312992) | more than 13 years ago | (#456783)

This is going to further fuel the debate over whether or not email and news posting should consist of active (JavaScript, DHTML and so on) or passive (plain text, HTML) content. I suppose really it depends on what sort of person you are.

Whilst technically you can convey whatever information you want through the use of plain text (maybe using some *emphasis*) and attachments, for many this is a solution which is less convenient for them - it requires more clicks or keypresses to access, and doesn't present the information in quite such an integrated manner. And in the business world the phrase "time equals money" has been given the status of a law, with companies paying out huge sums of cash to time management consultants and the like. These people don't want any extra time or hassle in their emails, not when they're receiving well over a hundred every day.

For business types active content and embedded files mean more productivity and an easier email experiance. They're not concerned about privacy issues, and if they are then well, it's the job of the IT guys, right? So this sort of bug is inevitable - either you cripple active content - somthing that's too late to do - or you try and provide rock solid security - a challenge people seem only too willing to take on.

It all depends on a) your willingness to expose yourself to risk, and b) your desire for presentation and convenience. Seeing as the web has moved from text-based to graphics-based in the majority, I think the future of email is going to be the same, whether we like it or not.

Desensitized (2)

tethal91 (263165) | more than 13 years ago | (#456784)

I think that I should be worried or annoyed by this but I (we) are so used to security holes, lack of privacy online, and spam that the general level of interest I can come up with is pretty minimal. On the one hand, its pretty sad that there is so much of this stuff that we are desensitized to it; on the other hand, the Internet is still like the Wild West in a sense - its a frontier with the requisite frontier mentality. I'm sure this has been said elsewhere better than I am saying it, but I think that the dynamic of those pushing the boundaries with advances versus those who try to expolit those boundaries versus those that try and stop them creates a better future world. Those of us on the fringes may be the occasional casuality, but maybe, just maybe, its for the greater good...

Re:Delete the Javascript in your reply (2)

roca (43122) | more than 13 years ago | (#456789)

I think you're right. The mail client should be configurable not just to ignore Javascript in HTML email, but actually strip it out completely before forwarding/replying/etc.

Someone should hack this into Mozilla right away.

Re:Easy fix... (1)

Nickoty (313029) | more than 13 years ago | (#456790)

Yeah, problem with MS product is just that you typically need to invert essentially all configuration options before you can start using the program. They obviously come pre-configured for those who don't know how to change configuration.

Re:That's Why..... (1)

Nickoty (313029) | more than 13 years ago | (#456794)

Somebody always mentions this jokey fact yes.. It shouldn't be forgotten that any other mail client would do just fine, even Outlook & co, provided they are sanely configured. PINE just doesn't offer the lame options.

Re:Turn Off JavaScript (1)

ColdGrits (204506) | more than 13 years ago | (#456796)

Spot who didn't READthe article (or even the summary)...

It doesn't matter if YOUR email client is javascript enabled or disabled, if the person you are emailing has theirs enabled.

Nex ttime, read the article before commenting, huh?

--

Re:Another reason to stick to the RFC (1)

Evil Grinn (223934) | more than 13 years ago | (#456799)

Has anyone ever seen a worthwhile HTML email?

For things like ordered and unordered lists, tables (not for page layout!), and such, yes HTML can be helpful in email. These are things that you can easily do without, but which can sometimes make it much easier to say what you mean.

Unfortunately very few people use it like that. There is no excuse for using JavaScript in email.
---

the point (4)

www.sorehands.com (142825) | more than 13 years ago | (#456800)

The point I was trying to make is that even with javascript turned off, the information is sent. The original piece gives the impression that if everyone turned off javascript, you'd be safe.

Re:Our organization (2)

roman_mir (125474) | more than 13 years ago | (#456803)

If your organization only uses email for internal communications then yes. If there are external contacts you make via your email, then no. Basically it does not matter what you do, it matters what other people you email to do, and probably the people who communicate with the people that you communicate with do, etc.etc.etc. Basically this means we are all screwed.

Re:That's Why..... (1)

Dodger_ (51556) | more than 13 years ago | (#456804)

What the heck is a person missing out on when they use pine or mutt(my choice)? Badly formatted html with atrocious use of fonts and colors? An email that takes minutes to load because it connects to 20 sites to download pictures and other assorted garbage? I would not call receiving email of this nature, "[living] life to the full".

Reversed Use (1)

expiredmilk (213257) | more than 13 years ago | (#456805)

Anyone consider the possibility of doing the same, but targeting the people who we'd ALL love to get rid of? I'm talking about Spammers, of course. Email bug, non-malicious javascript coding that "phones home" and gives you information about Spammers, if the reply to address or postmaster sent @ spammer domain email is opened. Hmmm... Instead of freaking out over every exploit that pops up and scrambling to get patches, I wonder why people don't use it as an opportunity to their own benefit for the greater good.

Re:That's Why..... (2)

gowen (141411) | more than 13 years ago | (#456806)

Thats why its imperative that people get back into the habit of *trimming their messages* instead of quoting absolutely everything they recieved.

Re:That's Why..... (2)

dattaway (3088) | more than 13 years ago | (#456807)

There was a buffer overflow in pine a while back which was potentially exploitable.

I use pine. You have my email address. Now try it.

you're looking at this the wrong way (1)

tenzig_112 (213387) | more than 13 years ago | (#456808)

Imagine all the cool things you can know about your neighbors now - and how easy it is to spilunk their email.

I've been thinking of joining the @home service just so I can crack into my neighbors' browser histories and caches. At the next homeowners association meeting, I won't say a word. I swear.

www.ridiculopathy.com [ridiculopathy.com]

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...