Helping people with computers... one answer at a time.
HTML email can include embedded malware, plain text cannot. So just how risky is HTML formatted email?
Do you think that disabling HTML provides much extra safety in using email?
A small amount.
HTML (and rich text) email allows you to specify various attributes in your email like bold, italics and even color text red.
Plain text is, well, it's plain.
The "problem" is that because HTML is also the way that web pages are encoded, it can often do more than just change the look of your text. Much more.
In the past, the problem was fairly large, as things could be embedded in HTML that could in turn compromise your system when the message was simply displayed. In fact, it was even worse, because the original versions of the "preview pane" would display messages automatically, and thus give that embedded malware an automatic opportunity to infect you.
Nowadays with anti-virus, coupled with preview and image display being off by default, and further coupled with keeping your machine up to date with the latest patches and updates - the threat is extremely small.
But, technically, it is still there.
Not long ago an exploit was discovered in the VRML renderer that could be used with in HTML email. If you displayed the email, you were vulnerable. A patch resulted, but there was a window of opportunity. (As always, that window remains wide open for those who do not stay up to date.)
But there's no vulnerability associated with plain text email. There is no way to embed malware into plain text email other than by using attachments which in turn must be manually executed to have any effect.
So there's some legitimacy to the issue. Certainly in highly sensitive areas, I would expect HTML to be disabled as no risk is acceptable, especially one that can be so easily worked around. However, personally, I deal with HTML email all the time. I prefer to send plain text, but for different reasons:
plain text looks the same everywhere (most definitely not guaranteed for HTML mail)
email messages using only plain text are smaller
overuse of fancy formatting can easily detract from the message
9 times out of 10, it's simply not necessary
If security is an issue, and you don't want to risk displaying HTML email, an alternative is to use an email client which will display HTML email as text. By that I mean that there are email clients that will display the text contents of an HTML mail without trying to interpret or display the HTML itself.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.