Pretty is as pretty does when talking about e-mail

Fellow Network World(U.S.) columnist Mark Gibbs likes pretty e-mail. But I hope that he won’t send me pretty e-mail when he sees this column because he will get the letter back unread.

I don’t know who came up with the idea of using HTML – the protocol used to describe the appearance of Web pages – in e-mail, but it seems to have been done without much consideration of privacy and security implications.

HTML e-mail can sure be pretty, or is that pretty annoying? Some programs sound like they could do a nice job of putting together an e-mail message, complete with colours and sound effects, that I would not want to get first thing in the morning. But the reason Mark, or anyone else who sends me an HTML message, will get it automatically tossed back has nothing to do with the fact that the mail might contain a tinny version of the “Ride of the Walkure.” I bounce HTML-based e-mail because it is a threat to the security of my computer and to my privacy.

This column is far too short to list all the ways HTML can be a security or privacy threat – Google Inc. gets 77,000 hits for “privacy + ‘HTML e-mail'” and 20,000 for “security + ‘html e-mail'” – but here are a few:

CERT Coordination Center has posted a dozen or so warnings of ways that HTML e-mail can be used to exploit vulnerabilities in buggy software. Some of the exploits are quite impressive – see the CERT Web site ( for more information.

But the big threats do not depend on flaws in software to work – they operate even if the software is totally bug-free because they use features in HTML. Kiss your privacy – what shreds you still might have left on the Internet – goodbye if you or your company accepts HTML e-mail.

The sender of the message can find out when and on what computer you read the e-mail. That person also can find out if you forwarded the e-mail to someone else, and who the someone else is and return a copy of the cover letter you sent with the e-mail to that someone. The same is true if that someone replies to you or forwards the e-mail to a third person and remains the case as long as the original e-mail is included. The original HTML e-mail sender also can stick a cookie including your e-mail address on your machine that can later be read by cooperative Web sites, even if you are trying to be anonymous.

There are many more threats and I could go on, but you get the not so pretty picture.

Bradner is a consultant with Harvard University’s University Information Systems. He can be reached at [email protected].

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now