Why is Plaintext Better than HTML for Email?

“In short, HTML emails are a security nightmare, are mostly used for advertising to you and tracking you, are less accessible for many users, and don’t offer anything especially great for it.”

https://useplaintext.email/

He buried the lede. I went ahead and put it at the top. For more detail, read the below. Another in my ongoing series advocating for plain text: A Text Only World, OpenBSD & the Command Line, The Plain Person’s Guide to Plain Text Social Sciences, The Plain Text Accounting Program, etc.

Why is plaintext better than HTML?

HTML emails are mainly used for marketing – that is, emails you probably don’t want to see in the first place. The few advantages they offer for end-users, such as links, inline images, and bold or italic text, aren’t worth the trade-off.

HTML as a vector for phishing

HTML emails allow you to make links which hide the URL behind some user-friendly text. However, this is an extremely common vector for phishing attacks, where a malicious sender makes a misleading link which takes you to a different website than you expect. Often these websites are modeled after the login page of a service you use, and will trick you into entering your account password. In plaintext emails, the URL is always visible, and you can more easily make an informed choice to click it.

Privacy invasion and tracking

Virtually all HTML emails sent by marketers include identifiers in links and inline images which are designed to extract information about you and send it back to the sender. Examine the URLs closely – the strange numbers and letters are unique to you and used to identify you. This information is used to hack your brain, attempting to find advertisements which are more likely to influence your buying habits. HTML emails are good for marketers and bad for you.

Mail client vulnerabilities

HTML is an extremely large and complicated set of specifications designed without emails in mind. It’s designed for browsing the world wide web, on which a huge variety of documents, applications, and more are available. Implementing even a reasonable subset of these standards represents hundreds of thousands of hours of work, or even millions. A large subset (perhaps the majority) of these features are not desirable for emails, and if included can be leveraged to leak information about you, your contacts, your calendar, other emails in your inbox, and so on. However, because of the herculean effort necessary to implement an HTML renderer, no one has built one specialized for emails which is guaranteed to be safe. Instead, general purpose web browsers, with many of their features disabled, are employed in most email clients. This is the number one source of vulnerabilities in email clients which result in information disclosure and even the execution of arbitrary malicious code.

This is a list of 421 remote code execution vulnerabilities in Thunderbird. If you’re bored, try finding one that doesn’t exploit web tech.

HTML emails are less accessible

Browsing the web is a big challenge for users who require a screenreader or other assistive tools to use their computer. The same problems apply to email, only more so – making an accessible HTML email is even more difficult than making an accessible website due to the limitations imposed on HTML emails by most mail clients (which they have no choice but to impose – for the security reasons stated above). Plain text emails are a breeze in comparison for screenreaders to recite, especially for users with specialized email clients designed for this purpose. How do you speak bold text aloud? How about your inline image?

Some clients can’t display HTML emails at all

Some email clients don’t support HTML emails at all. Many email clients are designed to run in text-only environments, like a terminal emulator, where they’re useful to people who spend a lot of time working in these environments. In a text-only interface it’s not possible to render an HTML email, and instead the reader will just see a mess of raw HTML text. A lot of people simply send HTML emails directly to spam for this reason.

Rich text isn’t that great, anyway

Rich text features desirable for end users include things like inline images, bold or italicized text, and so on. However, the tradeoff isn’t worth it. Images can simply be attached to your email, and you can employ things like *asterisks*, /slashes/, _underscores_, or UPPERCASE for emphasis. You can still communicate your point effectively without bringing along all of the bad things HTML emails come with.

-ibid

Disabling Facebook and Other Social Media Tracking in WordPress

I realized yesterday that the default sharing options in WordPress enabled tracking by Facebook and Twitter. I don’t want advertising or tracking on my site. I found that you can turn these “features” off in the Dashboard.

Simply click on Enabled Services and drag and drop into Available Services, and vice versa, for services you want enabled, such as Email or Print.

Using /etc/hosts to Cut Internet Crap

I was using a website this morning that pointed to fonts.googleapis.com. I know this because the url was displayed at the bottom of the browser, as my machine freezed into an unusable state, which required a reboot to return it to functioning again.

It seems strange to me that a website should be able freeze both a browser and the machine running it. But, minimally, I thought I should prevent downloading fonts from google from doing it in the future.

With a little web searching, I came across this article, “Fix Slow Page Loading Waiting for fonts.googleapis.com.” I made the appropriate changes to my /etc/host file and noticed an immediate improvement on the loading of the site I was using.

So, not being one for half-measures, I thought, “I wonder if there’s a good list to block most of these types of sites that slow down the web experience…” Of course, there are many. I ended up choosing Steven Black‘s list: Unified hosts + fakenews + gambling + porn + social because it is used by the previously mentioned Pi-Hole as one of its filters. I kept my original host file, noting in the top where to get an updated list and just added everything after: # Custom host records are listed here. to the end of the file.

Works beautifully. I’ll live with it for a few months and post an update here of any problems I encounter. However, this seems like a good option for cutting down the amount of crap you come across on the Internet and will likely speed web page load times considerably. If you need more explicit instructions, this article seems to provide a good discussion on how to do it across different platforms..

Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers in Real Time Via Its Web Site

“A third-party firm leaking customer location information data [from all U.S. mobile telephone service providers in real-time] poses serious privacy and security risks for virtually all U.S. mobile customers (and perhaps beyond, although all my willing subjects were inside the United States).”

Brian Krebs, “Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers in Real Time Via Its Web Site.” KrebsonSecurity.com. May 17, 2017.

What could possibly go wrong?

You Give Up a Lot of Privacy Just Opening Emails. Here’s How to Stop It | WIRED

“[Email tracking] tech is pretty simple. Tracking clients embed a line of code in the body of an email—usually in a 1×1 pixel image, so tiny it’s invisible, but also in elements like hyperlinks and custom fonts. When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device. Newsletter services, marketers, and advertisers have used the technique for years, to collect data about their open rates; major tech companies like Facebook and Twitter followed suit in their ongoing quest to profile and predict our behavior online…

…To prevent third-parties from leaking your email, meanwhile, Princeton’s Englehart says “the only surefire solution right now is to block images by default.” That is, turn on image-blocking in your email client, so you can’t receive any images at all.”

—Brian Merchant. “How Email Open Tracking Quietly Took Over The Web.” Wired. December 11, 2017.

As discussed in my post A Text Only World there is no surefire way to stop this kind of tracking. Even if you use text only email, which isn’t a bad idea, you will still be tracked if you follow links and so forth. But, sticking with text over HTML is often a more secure and less convenient option.