Content deleted Content added
→Security vulnerabilities: fixed dead link; conversion apparently upon delivery |
|||
Line 90:
== Security vulnerabilities ==
HTML allows a link to be
If an email contains inline content from an external server, such as a [[Digital image|picture]],
▲HTML allows a link to be displayed as arbitrary text, so that rather than displaying the full URL, a link may show only part of it or simply a user-friendly target name. This can be used in [[phishing]] attacks, in which users are fooled into believing that a link points to the website of an authoritative source (such as a bank), visiting it, and unintentionally revealing personal details (like bank account numbers) to a scammer.
retrieving it requires a request to that external server which identifies where the picture will be displayed and other information about the recipient. [[web bug|Web bug]]s are specially created images (usually unique for each individual email) intended to track that email and let the creator know that the email has been opened. Among other things, that reveals that an email address is real, and can be targeted in the future.
Displaying HTML content frequently involves the client program calling on special routines to parse and render the HTML-coded text; deliberately mis-coded content can then exploit mistakes in those routines to create security violations.{{cn}} Requests for special fonts, etc, can also impact system resources.{{cn}
During periods of increased network threats, the US Department of Defense has converted user's incoming HTML email to text email.<ref>{{cite web|publisher=nextgov.com|url=https://www.nextgov.com/cybersecurity/2006/12/dod-bars-use-of-html-e-mail-outlook-web-access/213308/|date=December 22, 2006 |title=DOD bars use of HTML e-mail, Outlook Web Access|accessdate=2024-06-22}}</ref>
| |||