nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Did ROPEMAKER just unravel email security? Nah, it's likely a feature

remote CSS?

no one supports remote CSS though, inline or nothing

that's like saying you can use JS for malicious intent in an email. well yes, if anything actually allowed it.

3
0
Silver badge

Re: remote CSS?

Outlook and Thunderbird? Both will load remote content if you let them.

I think the main webmail providers allow CSS too.

4
0

Re: remote CSS?

Right, I'm off to dust off my Mutt installation this evening. All in the name of progress!

3
1

Re: remote CSS?

Yeah webmails etc allow CSS, but I'm fairly sure they don't allow it remotely, only what's embedded in the email

And if one doesn't block that at least by default then I simply won't use it

0
0
Silver badge

Re: remote CSS?

"Outlook and Thunderbird? Both will load remote content if you let them."

Simple solution: don't. And don't use webmail either.

2
0
Silver badge

Err,

Most of the emails I send are plain text. This is the way emails were in the 1970s, and it still works. The only formatting necessary is normal punctuation and the use of paragraphs, sometimes with 2 or 3 returns between them to break up content into logical blocks.

Generally with the wide variations of OS, mail client, printing, and fonts it is a good way to ensure that the recipient has a reasonable idea of what was written. If you need fancy formatting attach a PDF.

30
0
Bronze badge

Re: Err,

I've started doing this, get some comments about them looking plain but better than hiding a dodgy link.

17
0
Silver badge

Re: Err,

I've always done this. And I've always replied properly - snipping anything unnecessary, and interleaving my reply so that each part it is given context by what is quoted immediately above it.

I was once asked by a colleague where my reply was, because he couldn't see it.

He couldn't see it because it wasn't at the top where he expected it to be. :(

12
0
Silver badge

Re: Err,

A: NO

Q: Is top posting ever correct?

14
0
Silver badge

Re: Err,

the flow.

breaks up

Top-posting

2
0
Silver badge

Re: Err,

> If you need fancy formatting attach a PDF

I'd go further and say "If you need fancy formatting create a PDF, and then keep it to yourself."

3
0
Silver badge

Re: Err,

"attach a PDF"

Another known attack vector :-)

0
0
Silver badge

The longer-term fix would involve a revision of internet standards and more intelligent security controls at the network and the endpoint,

Or, STOP USING HTML in emails.

42
1
Anonymous Coward

Irony?

...and with a quick tap at the keyboard on my large font, green phosphor screened, workstation, I substitute Alister's embedded italics tag with my sneakily crafted CSS tag to download all his bank information onto a USB stick within 10 seconds, laughing evilly....

4
0
Silver badge
Joke

Re: Irony?

I no longer see < i > tags, I see in itallic !

5
0
Silver badge

Re: Irony?

Err... A C we are talking about e-mail, this isn't.

0
0
Silver badge

"Or, STOP USING HTML in emails."

Few people did until MS invented their own new "standard" and made it the default.

0
0

Re: Irony?

Oh, I don't see the code. I just see bold, underlined, red head1...

0
0

Why Do People Expose Themselves With HTML E-Mail

Text-mode is invulnerable to all these kind of HTML/Web weaknesses, there is never, ever a good reason to inflict someone else with HTML-based messages, E-Mail is a TEXT medium!

18
2

Re: Why Do People Expose Themselves With HTML E-Mail

That's only true for what is nowadays a very small, old-school slice of email users.

Everybody else at the very least can't understand why anyone would tell them they can't have bold, italics, etc. in text they write to someone.

And we're not even talking about the crazy idea that people who get their news, etc. via daily emails should get it in black-and-white text with no headlines / etc. whatsoever.

Email *was* a text medium. Decades ago.

16
2
Bronze badge
Stop

Re: Why Do People Expose Themselves With HTML E-Mail

The irony here is that your markup thus:

*was*

is rendered in bold in my Thunderbird email client. Plus it will linkify a URL. This is just about the limit of anything one could want in marked-up email. CSS is *way* over the top.

Old-school? Possibly. Immune to smart-arses with nefarious style sheets? Certainly.

16
0
Silver badge

Re: Why Do People Expose Themselves With HTML E-Mail

You're right but all the cool kids and adults want colors and moving graphics, lots of visual bells and whistles. Security? They have possibly heard of it.

8
0
Bronze badge

Re: Email *was* a text medium. Decades ago.

Isn't progress wonderful.

1
0
Silver badge

Re: Why Do People Expose Themselves With HTML E-Mail

> Immune to smart-arses with nefarious style sheets?

yes, that's what "old-school" means, in this context.

2
0
Anonymous Coward

Re: Why Do People Expose Themselves With HTML E-Mail

Well, gmail says you've been outvoted. You lose. Time to move on or be left behind.

0
3

Re: "E-Mail is a TEXT medium"

The '90s called and want their rant back.

Email was a text medium. Since then it has grown richer. It is true that you can express everything in words with ordinary punctuation, but being able to add emphasis, and tables (*) is just too useful for people to be prepared to give up.

*) Yes, yes. I know you can do tables with fixed width fonts and spaces - but proportional fonts are so much nicer.

6
4
Silver badge

Re: "E-Mail is a TEXT medium"

I still view email as plain text by default and I still sent plain text by default. I've noticed that some HTML clients handle plain text really badly, often losing the line breaks and bunching it all up though, but that's not my problem.

As for the occasional one that turns up and all I see is a line telling me I don't support HTML so should upgrade my email client, they're straight in the bin.

I'm of the school that considers HTML email to be a security hazard, to the point that if you send me email with an HTML section and you aren't on my approved list, it will bounce (the joys of personal email rather than business). If you can't present your information clearly as plain text then too bad. Just that simple filter takes out an awful lot of spam without having to try too hard.

26
1
Silver badge

Re: "E-Mail is a TEXT medium"

You are not the only one. Text is sufficient.

6
0
Anonymous Coward

Re: "E-Mail is a TEXT medium"

Then what happens when you're told you just lost a big deal because of your paranoia AND that your job is now at risk AND you risk getting blacklisted meaning you may not find a replacement job, either?

0
13
Silver badge

Re: "E-Mail is a TEXT medium"

Told by whom?

Some Nigerian prince with US $9M to spend on a contract with your company?

6
0
Silver badge

Re: "E-Mail is a TEXT medium"

"Email was a text medium. Since then it has grown richer."

Richer for marketing spammers and criminals. I have no wish to indulge such low-lives.

7
0
Silver badge

Re: "E-Mail is a TEXT medium"

"Then what happens when you're told you just lost a big deal because of your paranoia"

And what happens to you when your lack of paranoia has let in malware that's closed down your IT network for a few days or allowed access that's enabled a few million of your favoured currency units to be looted?

4
0
Anonymous Coward

Re: "E-Mail is a TEXT medium"

You're more likely to be nailed in a drive-by attack or by a spear-phished plausible attachment. And as they say, a picture's worth a thousand words, so abandoning images can cripple communications in other ways.

0
4

Re: "E-Mail is a TEXT medium"

"I'm of the school that considers HTML email to be a security hazard".

Well, yes - because it is.

I've worked with a major email server software company for many years on data integration applications - and although that software does all sort of whizzy things, because that is what the market has demanded, corporately we only ever use Plain Text.

HTML emails are stripped back to Plain Text before receipt (by the client) and any that don't have a Plain Text counterpart are treated as toxic and are opened using rubber gloves and a pair of tongs.

4
0
Silver badge

Re: "E-Mail is a TEXT medium"

Then what happens when you're told you just lost a big deal because of your paranoia AND that your job is now at risk AND you risk getting blacklisted meaning you may not find a replacement job, either?

If you read my original comment I noted it was personal email, so the only person who could fire me from that is me. At work I use whatever system they have set up, although if I have enough configuration control on the email client I'll set it to favour plain text both ways. It's someone else's job to keep the system secure, my only obligation is to not do something stupid like click on the dodgy link or attachment should it make it as far as my inbox.

2
0
Linux

Old school

FWIW, I'm old school ... mail is read and written in plain text, monospaced.

But most of what I get is not. Which is annoying, since corp types really put unnecessary junk in their mails ... long disclaimers, and worst of all, company logos. In every bloody message. Which then sits on my hard drive, wasting space for nothing.

Yes I feel better now after that rant, thanks for asking.

19
1

Re: Old school

I am with those pointing out that email has always been fundamentally a text medium. Certainly, email *could* be something else. But do we want that? Surely the purpose of email is to efficiently communicate ideas.

When writing a paper letter, I hand-write or type a plain text missive. Logos, garish colored text and fonts, overuse of bold and italics etc. could only detract from the simple act of communicating an idea in words in the English (or any other) language.

I am in the privileged position of being selective about whom I choose to hear from. If I engage with a client who cannot communicate ideas effectively in plain English, this is not a client I want.

5
0
Silver badge

Re: Old school

Here any e-mail that contains html automatically gets dumped into the spam folder unless the sender is on the very short list of those acceptable but even then their e-mails are displayed only as text.

0
0
Silver badge

Re: Old school

"Which then sits on my hard drive, wasting space for nothing."

Why? Given your icon you should be familiar with /dev/null.

0
0
Silver badge

Re: Old school

Cost of wasted space is less than the cost of dealing with it.

I always used to swear mightily at the dodgy attachments when it was still dial-up, noticeable pause as the crap was squeezed down the phone line only to be deleted. It's interesting how things have scaled, back then when it was still small hard disks, an offensively large attachment might have been 100k in size and hold up a V.34 modem link for some time. Now it's all scaled a few orders of magnitude bigger.

0
0
Bronze badge

Re: Old school

'wasting space' - w0t, you never heard of file systems with deduplication?

0
0
Silver badge
Coffee/keyboard

Remote Content

1) Unless you are using Webmail, when it's received in your inbox no-one can change it.

UNLESS

2) You are daft enough to allow remote content, in which case you are pretty doomed anyway.

7
0

Prime Time TV?

I think someone at Mimecast has been watching too much prime-time TV, because if this is the quality of "security research" that they do then they are just as credible.

First of all, no reliable email client allows remote resources by default. While we normally think in terms of linked images, tracking bugs, etc. this also applies to linked CSS stylesheets.

Second, CSS can change how HTML is displayed, but it cannot change the contents of a link. CSS does not have the capability of changing an HREF attribute. The best they could do is put two links (both good and bad) into the body of the email and hide one. They wouldn't even be able to change the target of the bad link once the message was sent.

Third, while CSS does have the capability to INSERT text content, it does not have the ability to change it or remove it. The best it can do is hide it from display.

What's next, are they going to claim that they just discovered the javascript is insecure and that malware can be injected via an iframe?

In summary, if Mimecast services were affected by this to the point where they had to put in a patch or filter to compensate, then their services were already broken.

7
1

I Am Immune

This is a primary, though not even close to the only, reason I use plain-text only email. Microsoft, marketers - and lazy users - are the biggest reason this threat exists.

5
1

Headline is scary but read up.

Ok I've downloaded the ROPEMAKER information from MIMECast.

Near as I can see, the attacker has to send a carefully crafted email in order for ROPEMAKER to work. It can't simply change the content of ANY email only an email that relies on a specific remote CSS file and has been crafted to take advantage of the changes to the remote CSS file.

I'm trying to figure out why anyone in their right mind would think it was a good thing to add to CSS, something that could actually change what was visibly displayed in an HTML document.

0
0
FAIL

block HTML or block remote access

I switched back to mutt about 2 years ago but I just checked Thunderbird and it has a "block remote content" setting, which was even enabled by default. The help text leads to a link that explicitly mentions CSS also, so I'm pretty sure this attack won't work on a default installation of TB.

As for webmail, I had to laugh at the claim that this attack will "fool even the most security savvy users". Sorry, but I find it hard to apply the phrase "security savvy" to people who use webmail directly on a browser (i.e., instead of via IMAP/POP3 on a proper mail client).

And if you're using an email service that does not allow IMAP or at least POP3, you should switch as soon as possible.

6
0
Anonymous Coward

Is Geary any good ?

this excellent discussion makes me think I want off webmail and have a mail client again ... the only things I miss from my apple mac are mail and preview - I have Geary but I've never used it ... should I bother ?

0
0

There is a solution for this

Lock down an allowed subset of HTML and simple multimedia support which is universally supported. Simple CSS with none of the latest magic features (all entirely unnecessary and mostly unsupported in the most widely used desktop clients), basic image support and a functional set of tags for paragraph formatting, text layout and so on.

The key thing is to mandate accessibility and essential support for responsive design, but all this could and should be included in an inline stylesheet. Email doesn't need deluxe stylesheet features with transitions and all of the stuff modern web sites use. It's more work for the designers of commercial email design/delivery programs, but that's their job.

This could be done pretty quickly by the main manufacturers and W3C defining an RFC in consultation with a cabal of infosec orgs. It won't happen until something catastrophic happens affecting big business, but HTML email should have never been rendered with the same support as regular web sites.

0
0
Silver badge

Re: There is a solution for this

I wouldn't mind that, really. Plain text means things that can't be conveyed in words, like pictures (worth a thousand words, remember?), get lost, and you can't rely on links since they can be booby-trapped (watering-hole or drive-by attack). Everything should be inline, and you can allow things beyond text; just limit it to things that would be used for formatting purposes like the basic B, I, UL tags, and so on. I mean, since when can you be pwned by a B tag? Might as well say you can be pwned by a plain-text e-mail, in which case it's probably time to abandon the Internet altogether.

0
0
Black Helicopters

Now if someone were to try this exploit, say...

... on emails sent or received by a candidate for President of the United States, there might be a story ...

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing