Sponsored by: This story appeared on Network World Fusion at http://www.nwfusion.com/columnists/2002/0610bradner.html 'Net Insider: Pretty is as pretty does By Scott Bradner Network World, 06/10/02 Fellow Network World columnist Mark Gibbs likes pretty e-mail. Or so his May 27 Gearhead column would have us believe. But I hope that he won't send me pretty e-mail when he sees this column because he will get the letter back unread (see more thoughts on the subject from Gibbs). I don't know who came up with the idea of using HTML - the protocol used to describe the appearance of Web pages - in e-mail, but it seems to have been done without much consideration of privacy and security implications. HTML e-mail can sure be pretty, or is that pretty annoying? The program that Mark gives such a high grade to sounds like it could do a nice job of putting together an e-mail message, complete with colors and sound effects, that I would not want to get first thing in the morning. But the reason Mark, or anyone else who sends me an HTML message, will get it automatically tossed back has nothing to do with the fact that the mail might contain a tinny version of the "Ride of the Walkure." I bounce HTML-based e-mail because it is a threat to the security of my computer and to my privacy. This column is far too short to list all the ways HTML can be a security or privacy threat - Google gets 77,000 hits for "privacy + 'HTML e-mail'" and 20,000 for "security + 'html e-mail'" - but here are a few: CERT has posted a dozen or so warnings of ways that HTML e-mail can be used to exploit vulnerabilities in buggy software. Some of the exploits are quite impressive - see the CERT Web site for more information. But the big threats do not depend on flaws in software to work - they operate even if the software is totally bug-free because they use features in HTML. Kiss your privacy - what shreds you still might have left on the Internet - goodbye if you or your company accepts HTML e-mail. The sender of the message can find out when and on what computer you read the e-mail. That person also can find out if you forwarded the e-mail to someone else, and who the someone else is and return a copy of the cover letter you sent with the e-mail to that someone. The same is true if that someone replies to you or forwards the e-mail to a third person and remains the case as long as the original e-mail is included. The original HTML e-mail sender also can stick a cookie including your e-mail address on your machine that can later be read by cooperative Web sites, even if you are trying to be anonymous. There are many more threats and I could go on, but you get the not so pretty picture. Sorry Mark, I give the idea of HTML e-mail a minus 9 on your Gearhead scale. Disclaimer: This time of year, as part of its fund-raising effort, Harvard is very pretty. But the university has expressed no opinion on pretty e-mail. Related Links All contents copyright 1995-2002 Network World, Inc. http://www.nwfusion.com