W3C home > Mailing lists > Public > public-html-mail@w3.org > May 2007

Email security position paper

From: Chris Newman <Chris.Newman@Sun.COM>
Date: Wed, 02 May 2007 09:11:46 -0700
To: public-html-mail@w3.org
Message-id: <3C785A769C70FE58ECC8941F@[192.168.0.103]>

I don't have time to attend the meeting, but wanted to make sure you have this 
input.  This is my personal opinion as a long-time participant in the email 
industry.

-------
Email security and client development position paper

Imagine you had a web browser which every day would randomly jump to a web page 
created by a phishing house (a different one each day) that was trying to break 
into your computer.  This browser would proceed to execute all javascript, 
flash, and other active content on that web page?  If you were lucky you would 
only get a few pieces of new spyware and adware each day, making your computer 
unusable within a week regardless of the quality of your anti-virus or other 
protection software.  Then imagine this web browser had unrestricted access to 
your personal address book and all your business contacts and could trivially 
use that information to generate emails to those contacts on your behalf?  How 
would that impact your business relationships?   Would you run this web browser 
if you had the option to run one that didn't do this?

Next, imagine the second you view one of these phishing web page, the web page 
owner immediately knows that you actively use your web browser (and when you 
use it) and can arrange to have your web browser visit their page every day in 
addition to the other things it does.

That's what rich HTML email would be like and why email vendors work hard to 
restrict what forms of HTML are permissible (and is one of many reasons why 
technology-aware users prefer plain text email).  Because email can be sent to 
an unsolicited recipient, rendering rich email safely is a much greater 
security and privacy risk for the recipient than a typical web page.  While 
there was some early research on active content in email that could be used 
safely (safe-TCL), it was never clear that the benefits would outweigh the 
risks.

Attempts to "filter" HTML, CSS and javascript to remove known bad things are 
not viable long term.  There's always another extension by some particular HTML 
engine that allows risky content embedded in some new part of the language. 
What's needed is an extensible white-list of HTML and CSS features that is 
typically safe for use in email.  For an example of such technology, see:
  <http://www.feedparser.org/docs/html-sanitization.html>

If the W3C were to take the lead on maintaining and standardizing an 
industry-standard default HTML/CSS whitelist for risky content environments 
it's likely to (eventually) raise the baseline level of HTML/CSS support in 
email.  Furthermore, an investigation of why privacy-preserving technology 
(such as MIME HTML RFC 2557) to embed the complete HTML document and all 
ancillary data in the email so the client can operate in a "safe no network" 
privacy mode has failed to deploy well would be interesting.

The current email client market is in a dire state from the viewpoint of 
innovation.  The vast majority of mail clients generate no revenue for the 
vendors of those clients and as a result there is extremely limited investment 
in mail client technology.  Two of the leading innovative cross-platform fat 
client projects (Mulberry and Eudora) were recently terminated (the former due 
to chapter 7 bankruptcy, the latter is merging with Thunderbird).  Is there a 
way that the companies that want more features in email clients could invest 
money to restart innovation in the mail client industry and possibly make it 
profitable for independent mail client vendors so there is innovation?  Is 
other standards work needed to improve the situation?  Can innovation be driven 
by clients on portable devices and then move back to the more traditional 
client environments?  What sort of rich client features would benefit mail 
users so much that it would start a mass migration?
-------

                - Chris
Received on Wednesday, 2 May 2007 16:11:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:12:23 GMT