Using e-mail safely

I recently posted to the news site Slashdot about some changes that have occurred in the Department of Defense and how they handle email.

According to Federal Computer Week, The Department of Defense (DoD) has taken the step of blocking HTML-based email. They are also banning the use of Outlook Web Access email clients. The DoD is making this move because HTML messages can easily be infected with spyware and executable lines of code that enable hackers to access DoD networks.

Instead of HTML formatting, DoD is going with plain text.

See my Slashdot article for the extended summary and see the original Federal Computer Week article for all the details.

Having said that, the security implications for you, the Average Joe include some of the following:
  • images
  • programs
When we use Hypertext Markup Language (HTML) based email, our email browser will show the words in the message AND will try to follow all of the "instructions" in the HTML portion of the email. These instructions can include things such as:
  • programming code (scripts): some HTML can contain scripts that can access your computer, damage your computer and/or open channels for the bad guy to achieve even more sophisticated access to your machine.
  • image requests: that basically phone home to the sender's computer to get a copy of an image. These image requests often include a message that tells the sender that you opened or previewed the message. This can validate to spammers that your email address is active and may result in you receiving more spam.
Thus the risks of using HTML-based email are real. There are some things that you can do to minimize your risks:
  • Avoid HTML-based email all together (the Typical User likes to see the pretty colors and pictures and likes to have bold and italics, so this option will generally be avoided)
  • Given the above, you can use modern email software that can be set to not run programming code or scripts and/or can strip out HTML tags entirely.
  • Use email software that does not show images (i.e. does not phone home) unless you give it permission.
My favorite email client that meets the above criteria is Thunderbird. You can download it here. There are other options out there, but I am most familiar with Thunderbird.


No comments: