A recent article in the academic research publication The Conversation argued that displaying incoming email as plain-text is safer than HTML. Unfortunately, most major email providers do not offer this option to their users.
I agree that plain-text is a safer way to read email, and at Rackspace, we’ve let our Webmail users disable HTML display in their incoming email for more than a decade.
HTML email risks
So why is HTML email more dangerous than other types of display options? The most consequential exploit made possible by HTML email is URL misrepresentation.
URL misrepresentation is the ability to make arbitrary text into a clickable hyperlink, and it’s a useful feature of HTML. It lets us replace a lengthy hard-to-read URL such as:
…with concise text that describes the purpose of the page, such as “Rackspace Email Features”.
Unfortunately, it also opens the door for hiding a suspicious URL such as:
…behind text that looks like a trustworthy URL:
What they send is not always what you receive
HTML emails can embed external images and CSS that clients will download at read-time. The sender could upload new versions of this content even after they send the message. Bad actors can use this technique to try and beat content-filters.
The server could also serve dynamic content based on what/when/where/who requests it. This way, bad actors can hyper-target their attack based on what they know about the recipient.
They’re watching you
A common practice of marketers is to add tracking images to their messages. The links to these external images are often customized to each recipient. When the server receives a request to that URL, it signals several useful facts to the sender:
- That the recipient opened the email
- When the recipient opened the email
- Where the recipient opened the email (based on IP address)
- That the recipient’s email address is valid
- That the content made it past spam filters
Marketers aren’t the only one using tracking images. Malicious senders use this technique to gain information to make their phishing campaigns more effective.
Why is it safer to view incoming email as plain-text?
The techniques discussed above all depend on features of HTML email. Plain-text email is safer, as it avoids the HTML features hackers exploit to trick victims.
Rackspace Email users can disable HTML display of incoming email. As of this writing, there do not appear to be similar options in Gmail, Outlook Web Access or Office365. I hope that other mail providers will follow suit and provide this simple but important option to every email user.
Do you think that letting users disable HTML display of incoming email is an important feature for email clients? Let us know your opinion in the comments section below.
Other ways to stay safe
HTML emails are not the only way that phishers can trick their victims. Learn more about how to stay safe from phishing attacks on our recent phishing blog post.