Why is Plaintext Better than HTML for Email?

“In short, HTML emails are a security nightmare, are mostly used for advertising to you and tracking you, are less accessible for many users, and don’t offer anything especially great for it.”

https://useplaintext.email/

He buried the lede. I went ahead and put it at the top. For more detail, read the below. Another in my ongoing series advocating for plain text: A Text Only World, OpenBSD & the Command Line, The Plain Person’s Guide to Plain Text Social Sciences, The Plain Text Accounting Program, etc.

Why is plaintext better than HTML?

HTML emails are mainly used for marketing – that is, emails you probably don’t want to see in the first place. The few advantages they offer for end-users, such as links, inline images, and bold or italic text, aren’t worth the trade-off.

HTML as a vector for phishing

HTML emails allow you to make links which hide the URL behind some user-friendly text. However, this is an extremely common vector for phishing attacks, where a malicious sender makes a misleading link which takes you to a different website than you expect. Often these websites are modeled after the login page of a service you use, and will trick you into entering your account password. In plaintext emails, the URL is always visible, and you can more easily make an informed choice to click it.

Privacy invasion and tracking

Virtually all HTML emails sent by marketers include identifiers in links and inline images which are designed to extract information about you and send it back to the sender. Examine the URLs closely – the strange numbers and letters are unique to you and used to identify you. This information is used to hack your brain, attempting to find advertisements which are more likely to influence your buying habits. HTML emails are good for marketers and bad for you.

Mail client vulnerabilities

HTML is an extremely large and complicated set of specifications designed without emails in mind. It’s designed for browsing the world wide web, on which a huge variety of documents, applications, and more are available. Implementing even a reasonable subset of these standards represents hundreds of thousands of hours of work, or even millions. A large subset (perhaps the majority) of these features are not desirable for emails, and if included can be leveraged to leak information about you, your contacts, your calendar, other emails in your inbox, and so on. However, because of the herculean effort necessary to implement an HTML renderer, no one has built one specialized for emails which is guaranteed to be safe. Instead, general purpose web browsers, with many of their features disabled, are employed in most email clients. This is the number one source of vulnerabilities in email clients which result in information disclosure and even the execution of arbitrary malicious code.

This is a list of 421 remote code execution vulnerabilities in Thunderbird. If you’re bored, try finding one that doesn’t exploit web tech.

HTML emails are less accessible

Browsing the web is a big challenge for users who require a screenreader or other assistive tools to use their computer. The same problems apply to email, only more so – making an accessible HTML email is even more difficult than making an accessible website due to the limitations imposed on HTML emails by most mail clients (which they have no choice but to impose – for the security reasons stated above). Plain text emails are a breeze in comparison for screenreaders to recite, especially for users with specialized email clients designed for this purpose. How do you speak bold text aloud? How about your inline image?

Some clients can’t display HTML emails at all

Some email clients don’t support HTML emails at all. Many email clients are designed to run in text-only environments, like a terminal emulator, where they’re useful to people who spend a lot of time working in these environments. In a text-only interface it’s not possible to render an HTML email, and instead the reader will just see a mess of raw HTML text. A lot of people simply send HTML emails directly to spam for this reason.

Rich text isn’t that great, anyway

Rich text features desirable for end users include things like inline images, bold or italicized text, and so on. However, the tradeoff isn’t worth it. Images can simply be attached to your email, and you can employ things like *asterisks*, /slashes/, _underscores_, or UPPERCASE for emphasis. You can still communicate your point effectively without bringing along all of the bad things HTML emails come with.

-ibid

Facebook Directs Your Eyes

“What this means is that even more than it is in the advertising business, Facebook is in the surveillance business. Facebook, in fact, is the biggest surveillance-based enterprise in the history of mankind. It knows far, far more about you than the most intrusive government has ever known about its citizens. It’s amazing that people haven’t really understood this about the company. I’ve spent time thinking about Facebook, and the thing I keep coming back to is that its users don’t realise what it is the company does. What Facebook does is watch you, and then use what it knows about you and your behaviour to sell ads. I’m not sure there has ever been a more complete disconnect between what a company says it does – ‘connect’, ‘build communities’ – and the commercial reality. Note that the company’s knowledge about its users isn’t used merely to target ads but to shape the flow of news to them. Since there is so much content posted on the site, the algorithms used to filter and direct that content are the thing that determines what you see: people think their news feed is largely to do with their friends and interests, and it sort of is, with the crucial proviso that it is their friends and interests as mediated by the commercial interests of Facebook. Your eyes are directed towards the place where they are most valuable for Facebook…

…To sum up: there is a lot of research showing that Facebook makes people feel like shit. So maybe, one day, people will stop using it.”

—John Lanchester, “You are the product.” London Review of Books. August 17, 2017.

I’ve been off Facebook, and most social media, for over four years. I can’t imagine returning. In fact, lately, I’m leaning towards a more extreme position. The problems of the Internet are larger than social media and the feudal Internet, where Microsoft puts ads on every Windows machine and cloud infrastructure sits behind every website and stores local files in the cloud. But, instead, these are the more obvious symptoms of commercialized communications, embedded down to the level of the protocols that make it all possible, such as HTML. That’s why efforts like the Gemini Protocol, small Internet pubnixes, Tor, cryptocurrencies, and so forth are worth learning about because they have the potential to completely transform our ways of communicating online in ways that are both more meaningful and authentic.

Static Websites with Hugo

I created a website back in 2010. It’s a professional website. It has a personal profile, description of the work, location and contact page. None of these change with any regularity. So, I just needed a few static pages.

I wanted to get up something quick. So, I had coded what I needed over a week, wrote all the copy and put the site up. Back then, around a quarter of the population had a smart phone, so it did not seem necessary to worry about mobile access to the site. So, I have a great site that works well for the PC. But, it’s useless on mobile. That’s not going to work in 2019.

But, I’ve been dreading doing the update. I figured it would be an unmitigated pain to code a site that worked across platforms. Being inclined to take the easiest route to solve a problem, I thought I might check to see if there was some free software that would help me make the transition with a minimum of fuss.

Turns out, there’s a lot of open source software to build static websites. Jekyll and Hugo are probably the most popular. But, Wintersmith, Harp, Middleman, and others are all viable options. I ended up using Hugo because of the two top options it didn’t require installation of any additional software on my system.

It ended up taking about two days to port the website content to Hugo. Most of the time was just understanding how Hugo works, such as the need to create directories and then put an index.md in each of them to get the content to link up right from the main page.

In retrospect, there are two main considerations in this process. One, pick a system that will convert your old website for you, if you have a large site. For small static sites like mine, this really isn’t a problem. Two, make sure whatever you use has good theme support and choose a theme that has the built in look and feel you want for your site.

For example, I looked at Nikola first, but its theme support is largely non-existent. It became apparent I’d have better luck choosing the top two options after looking at this one.

Once the choice of system and theme is made, the coding and porting of sites is pretty straight-forward. I did have to noodle around a bit with templates to get the result I wanted, but it wasn’t much different from using HTML, just at one level of abstraction.

If you have the need to put up a small website that works on both PCs and mobile, using a static site generator like Hugo will save you a lot of time and be relatively painless. Recommended.

Fun with HTML: ‮ Writing Backwards ‭ / Writing Backwards

The HTML Entity for changing the directionality of text from right-to-left (rtl) is 8238. To change it back to left-to-right (ltr), use 8237.

Repeating the paragraph above with rtl and ending with the ltr:

‮”The HTML Entity for changing the directionality of text from right-to-left (rtl) is 8238. To change it back to left-to-right (ltr), use 8237.”‭

Possible legitimate use: if it is used in a profile that might be scraped, it will likely throw unexpected results, such as reversing text in auto-generated spam email.

But, there’s a few situations where this could be used to amusing effect or to be jackass. Don’t be a jackass.

h/t Tim Carry.