“Security-conscious users must demand that their email providers offer a plain-text option. Unfortunately, such options are few and far between, but they are a key to stemming the webmail insecurity epidemic.
Mail providers that refuse to do so should be avoided, just like back alleys that are bad places to conduct business. Those online back alleys may look eye-pleasing, with ads, images and animations, but they are not safe.”
—Sergey Bratus and Anna Shubina. “The Only Safe Email is Text-Only Email.” The Conversation. September 10, 2017.
Taking the position that “the only safe email is text-only email” is problematic for two main reasons:
- Security is a process, and nothing is “safe”.
- Security has to be balanced against other requirements, such as functionality.
To see the problem in this position, let’s logically extend it to a more radical position. Why stop with email? Why not also advocate for the use of text-only web browsers?
I exclusively use text-only email and use text-only browsers on occasion. I think they are great. They are faster. They cut down on advertising, tracking and other nonsense. For users with visual impairment, they are an obvious choice and work better with text-to-speech software.
Which brings us to the key point, security comes at a cost. If you choose a text-only email client/provider or browser, then many of the emails you read or the websites you visit will not work as the author intended. This can protect you from the occasional phishing website or email containing a virus from a criminal organization. But, it’s no guarantee. Further, for every email or website this protects against, there will be thousands of legitimate emails and websites that will not work as intended.
The reality is, by selecting text-only email, you’ll start to see many emails with text with the following: “If you have trouble viewing this email, read the online version: [link]”, and it will become second nature to copy and paste that link into a modern browser to see the “correct” version of the email. Changing to text-only email does provide a little more incentive to think about the link, but for most people, it will introduce a lot more inconvenience, and the change will have little impact on their security.