Friends dont send friends HTML email!: wired

Submitted by charlie.collins on Tue, 02/06/2001 - 22:43

Tagged:

Technology

I just ran across an article on Wired (one of the new TotSP sources) that is in complete concert with what I have been preaching for a few years. DONT send HTML or Javascript EMAIL. I was not explicitly aware of the exploit that Carl Voth had exposed in mail readers that enable this by default (OUTLOOK and NS6.) This is the crux of the article and has garnered a lot of attention lately. However I was aware that this is VERY ANNOYING and that security problems abound with it. What I mean is that while NO email is really secure in any way (unless encrypted but some means) HTML based email and Javascript opens up an entire Pandoras box if possibilities not just viewing email content. Its stupid and insecure and many people DO NOT use HTML email readers or trash messages that contain Javascript-HTML by default (yours truly.) There a thousand Javascript based exploits from simple denial of service to malicious fake prompts and or redirects, just all sorts of problems. Here is my simple credo that applies to web apps and email, whatever, "client side BAAAAD!" (With the hand swipe like the Hetfield Napster cartoon.) Sending people Javascript email is offensive (and recruiters do it to me constantly, "fill out this form", uh, yeah, right away) and potentially dangerous. For that matter Javascript at all is BAAAAD whenever something can be done server side (back to my credo.) Send the people a link back to a web page, dont send them HTML or Javascript email. Mini Javascript RANT (or more of it) <rant> Javascript in general is also BAAAAD! NEVER put some Javascript on a web page that is critical to the page (ie use it for rollovers and that crap if you must, but CSS is better, or where programming for multiple possibilites and checking for its presence with an alternative if it is absent-disabled.) Pages that rely on Javascript exclusively for form validation or navigation or application features are stupid (they are generally NOT ECMAscript compliant and wont work in real browsers, Opera, NS6, Lynx, etc.) NEVER do on the client side what should be done on the server side. If you have a form to validate, then validate it, but not with something I can disable. The web full of very sloppy Javascript (and admittedly, I have learned this the HARD way) that breaks client browsing requests, wont work in many major browsers and makes for a sloppy application (imagine the data if I can still submit the form with crap in it just by disabling my Javascript.) </rant> Firends dont send friends email: wired

Add new comment

Comments

Re: Friends dont send friends HTML email!: wired

Submitted by jeepmutt (not verified) on Wed, 02/07/2001 - 09:52.

'trox, While I certainly agree with your sentiment, I am afraid that the general populace doesn't. And won't ever, no matter what reasonable arguments you present. Obviously, if you set up your web-app to accept information that is only validated on the client-side, then you should oh so very much reap what you sow. Gonna get burned, it's just a matter of time. However, people don't wanna wait for a resubmittal to be told that their phone number is not valid. People want a flashy site that does nifty little things when you move your mouse around. The want all of the glitz and they want to forget that they are on the web. No matter what the general populace says, they don't want to work on the web. They want all of the information on the web available on their desktop, as accessible as their "My Documents" folder is. And they want all the whizbang features that go into desktop apps. Since that's what the beast wants, thats what the majority of web sites and internet apps give'em. You want fancy-schmancy text in email? Well, instead of inventing something new, we'll just cram in our fancy-schmancy HTML interpreter that is already jammed full of nifty little schmancies. Oh did we mention that the HTML that we use is our own version, and the schmancy-driver, or scripting language, is proprietary too. Oh yeah, and its based on our legendarily safe and secure OS hooks. The general population makes it to easy for this type of behavior to be acceptable. Again, I am fully behind your rants, but I fear that we are shouting into the fury of the storm. (OK that doesn't sound right, but I can't remember what we are shouting into) Sigh..... -jeepmutt

Re: Friends dont send friends HTML email!: wired

Submitted by atrox (not verified) on Wed, 02/07/2001 - 11:20.

'mutt I agree with you that the general populace wants fancy and shiny stuff. But I disagree that it is futile to try to do anything about the current problems. you can still have the fancy stuff with CSS (buttons and rollovers and flashy crap) and you can still validate pages in split second time with server side. I am in complete agreement that the current situation is driven by what people "want" but my point is that technology people should be more capable of delivering quality stuff AND delivering what people want. I think it can be done right. Most people building web sites, and even web apps, dont even know the difference between client and server side, and that just goes to the point of quality. I think the general populace has every right to want the fancy crap (even if I dont) and I recognize that, but I still think the people building the stuff can do a lot better job AND deliver.

Re: Friends dont send friends HTML email!: wired

Submitted by jeepmutt (not verified) on Wed, 02/07/2001 - 14:33.

I wanna preface this with the note that I am a little cranky right now. :p Yep, I agree that that is what people/corps [b]should[/b] do, but my point was that, in general, the customers let them get away with the bullshit cause they don't know any better, (or don't care, sometimes, I can't tell which.) Maybe, I am just down on the situation in general, but from what I have seen, corps aren't interested in doing things [b]R[/b]ight. They want it done now. I know that if I had to get a site up right this minute the way that they wanted it done, my only solution would be to use JavaScript. I personally am not familiar enough with CSS to get the job done, and I am willing to be that my employer doesn't want me to learn to get it right, they want it done. They're too busy promising the moon in 3 easy steps to be worried about the fact that I need to take the time to train to get it done. [b]Boss:[/b] Do you know how to make the little buttons light up when I get put my little pointer-thingy over them. [b]Me:[/b] Yeah, but I'd be using less-than-optimal techniques. I know that there is a way to do it, but I will have to look into it. [b]Boss:[/b] You must not be a very good programmer if you don't know how to make the little buttons light up. [b]Me:[/b] That's not what I said, I know a way to get it done, it just isn't correct. [b]Boss:[/b] Why didn't you say so? Do it. [b]Me:[/b] But... [b]Boss:[/b] Good work. Anyway, not saying to not fight the good fight, it's just sometimes I get tired... I know that it's not a good reason to quit, and, in truth, I won't, but I will bitch and moan a bit before getting on with it. Oh, one more thing, yer last little bit about so-called web-developers not knowing their ass from a hole in the ground, (slight paraphrase on my part, kill me.) So very true. The above little dialog could have just as well included something rare and precious like some jackass 'web-developer' who says that it can be done with JavaScript and some ActiveX controls on the page. Jackasses. All of'em. A bunch of jackasses. What do we do about them? -mutt