Re: [Mid] HTML email as a security/privacy problem (long)

On Tuesday 07 October 2003 22:28, Nikki Weston wrote:
> Coding also seems to this psuedo-geek (but very unknowledgeable
> about many tech things) to be a security issue too -- not much can go wrong
> in plain text.

For Windows users, it *can* be a security issue, depending on your browser
settings. The reason is that Outlook and other mail readers in Windows,
when rendering HTML messages for viewing (even in preview window) internally
call the Internet Explorer "object" that renders HTML pages in the browser.

For users of *any* operating system, incoming HTML mail can be a privacy
issue even if not a security issue. Here's why:

Let's say I'm a spammer who has a database of forty million email addresses.
Some of these are valid, some are no longer any good because people have
changed ISPs, let their accounts expire, or whatever.

In my database, I assign each email address an unique code. So let's say
your address is "sucker@example.com". I assign you the code of
223twg74h in my database (just a pseudo-random code that won't be obvious
to the victim).

Now, when I send out a spam to you, it is individually customized to include
your code in the HTML:

<html>
<body><img src="http://www.spammer.com/validate.gif?code=223twg74h">Make Money
Fa$t, Increase Your B*u*s*t Size, and Get Millions from Nigeria!
</body>
</html>

The "<img....>" tag is an image tag in HTML, which would display a graphic
in your email software. What it does is to specify a URL, and your email
software will actually fetch the graphic from that URL for you. But notice
that your individual code is appended to the end of the "validate.gif"
filename. What that means is that "validate.gif" isn't a graphic at all!
It's a *program* that runs on their server as you fetch the URL. The
program does two things:

1. It sends to your computer a one-pixel-square graphic, completely
   transparent (i.e., tiny and invisible), so that your machine does not
   issue an error message. This is no different than any other web graphic,
   except that you won't see it, and in itself it's not harmful to your
   computer.

2. It records the fact that your personal code was validated, in their
   database. Now the spammer *knows* that you have read their email, and
   they can sell your address to other spammers as being "known good".
   If they *really* want to be insidious, they can look at the IP address
   of your client and get a rough idea of where you are located geographically,
   to send targeted marketing material to you. But most probably won't bother.
   The spammer sells "sucker@example.com" to another spammer, making money
   at the expense of *your* privacy.

This practice of using individually-coded, invisible "images" to track and
validate your receipt of spam is called a "web beacon." It is used many,
many times by spammers, and is one of the oldest tricks in their book of
dirty scumbag practices. Take a look (using the "View Source" or "View Raw
Data" option in your email software) at some of the spam you get, and you
will see tags like this in the messages.

Since plain text does not recognize tags like "<img...>", the web beacon
trick doesn't work in plain text messages. Yet another reason why HTML email
is a Very Bad Idea from the user's standpoint.

Now, from Yahoo's standpoint, or AOL's, or other large ISPs, there is another
side to this. Yahoo doesn't *want* you disabling HTML because their banners,
added to each YahooGroups message, can be HTML-formatted only if the message
itself is HTML formatted. This allows them to deliver "richer", more eye-
grabbing advertisements to your list messages. It may be annoying, but they
are providing a free service to you and the sale of ads is how they pay for
it. (Which, by the way, is why I run my lists on my own server, ad-free, and
why I offer that same service to other SCAdians for free.)

>From AOL's standpoint, the issue is twofold. On the one hand, they are tied
into the ad-marketing thing also. Don't make the mistake of thinking that
your AOL subscription fee is their profit source. There is a reason why they
can give away "1000 FREE Hours!" without any guarantee that they'll keep you
as a customer. Basically, their business model is such that they don't *care*
all that much whether you pay for your dialup hours or not, as long as they
get your eyeballs for their advertisers and "premium content providers".
Also, AOL probably doesn't want the tech support headache of newbie users
calling them to ask, "Why do some email messages look like gibberish after
I turned off HTML mail?"

Windows gets a very bad reputation for email security holes, but in fact
it's not so much *Windows* that's the problem, as it is Windows *email
software* (not just Outlook, though it's the worst). In Linux, email
attachments are shown as such, and are an icon that I must specifically
click on in order to open it. Then Linux tells me what kind of attachment
it is (and this is by MIME type, *not* by filename, which can be forged
easily), and asks me if I am really sure I want to open it. Windows email
typically makes it easier ("user friendly") to open attachments, and with
certain settings in place may do so without asking the user. BAD IDEA!
This is how Trojan Horse programs (aka viruses) propagate. I get Windows
viruses sent to me constantly in Linux. Linux's email software identifies
the attachments as a DOS/Windows executable program, and I simply delete
them. No harm done, just a minor annoyance. HTML email compounds this
security exposure because the fancy formatting hides from the user what's
*really* inside the message they are viewing. An icon can be faked in HTML
mail, making an executable program look like a harmless graphic or text
file.

Finally, I want to comment on the oft-asked question of why HTML mail
appears decoded inside the Digest version of this list. The reason is
simple: By definition, if you are in Digest mode, you will get numerous
messages as part of one physical file. That file can't be both text *and*
HTML, so it is text. Ergo, the tags in HTML messages get rendered as
literal strings of text, not as HTML tags, because your email reader is
not thinking of the file as a web page but rather as a text message.
(By the way, there are settings in many email list servers that allow a
digest mode that has each message as a separate "attachment". In that
mode, you can intermingle text and HTML messages -- but the price is that
the reader has to click on *each message* to read it. Most people don't
like this mode, because if you're doing that, you might as well be in
individual message mode.)

This is probably more than you ever wanted to know about email, but since
several people asked the question, I thought it a good idea to post a
relatively detailed answer. Feel free to email me off-list if you want
to go deeper into this topic. I've said my piece on the list, and won't
clog things up by consuming further bandwidth on this topic unless
specifically requested to do so. Apologies to anyone I've offended by
posting this long message, but I thought enough people had asked for
explanation that it was worth doing so on-list.

Justin

-- 
()xxxx[]::::::::::::::::::>                   <::::::::::::::::::[]xxxx()
Maistor Iustinos Tekton called Justin (Scott Courtney)
Gules, on a bezant a fleam sable, on a chief dovetailed Or, two keys
fesswise reversed sable.
Marche of Alderford (Canton, Ohio)             http://4th.com/sca/justin/
justin_at_4th.com        PGP Public Key at http://4th.com/keys/justin.pubkey
From:  Iustinos Tekton called Justin <justin@4th.com>
+--+--+--+--+--+--+--+--+--+--+--+--+  to unsubscribe, send a message to
`~-,  ,-~`~-,  ,-~`~-,  ,-~`~-,  ,-~`  majordomo@midrealm.org with
.  |  |     |  |     |  |     |  |     'unsubscribe sca-middle' as its body.