Who cares
I block email spam the sane way as amp spam.
Slow news day?????
Having last year axed its scanning of Gmail messages after years of withering privacy criticism, Google has decided to court controversy again in this area. Now it is extending its much-loved Accelerated Mobile Pages (AMP) technology to email inboxes. In a blog post on Tuesday, Gmail product manager Aakash Sahney announced …
I'll pass and stick with my "text-only" email
Some of us fondly remember the days of 7-bit ASCII emails. And have configured their email clients to do text-only and ignore this new-fangled penchant for all-singing, all-dancing, intrusive HTML.
Some people may find this appealing.
Not I. A hundred, thousand times not I.
Yet ANOTHER reason to *NEVER* *VIEW* *MAIL* *AS* *HTML*.
because, scripting and style sheets are next. you KNOW it's coming! And embedded ADS in your e-mail, courtesy "whatever free e-mail service" you send/receive with.
Don't doubt me. Consider the following:
a) we can just block the web ads and still view the content
b) an operating system with ADS in it?
c) subscription-based OFFICE programs?
d) An annual fee just to use an OS?
I can see the possibility of click-through ads to view your e-mail (particularly with HTML mail viewers). Or, WORSE, click-through ads to SEND mail!
icon because paranoia
Yeah, HTML is just HTML. Add in CSS and media queries and you've got a nice little device sniffer that tells the sender exactly what capabilities your device has. And that's just off the top of my head, the people who are good at this stuff will have hundreds of better, cleverer ideas.
I'm with the tin-foilers on this one!
" I'm pretty sure the OP meant one that doesn't make any kind of outbound HTTP call when viewing the message."
that's one, but there are many things that style sheets can do that pose a potential problem. there's also HTML5 content (yes I really wanted to see that streaming video when I opened an e-mail) and things like that. But style sheets can have script-like behavior, too. They can get really large, and really complicated. And, of course, loading the style sheet across 'teh intarwebs' identifies YOU as the mail recipient, even if all it does is check to see that you have the latest version with a 'HEAD' request.
a style sheet can, for example, passively determine what your screen resolution is. Content that uses a particular style can then (theoretically) use this information to "phone home" that info on you. I forget the exact details on how it works, it has something to do with being able to manage auto-sizing column widths as one possible usage. I've actually worked on customer web pages that do this. Don't ask me HOW it works, it was confusing enough fixing the existing page so it would look right on a phone in portrait mode, or on a desktop or a 'slab' in landscape mode, with their varying aspect ratios and screen sizes [yes it works perfectly now!]. And I didn't have to change the style sheet - I embedded 'style' info into the HTML.
So using this information, indirectly determined from the style sheet setup, EVEN WITH SCRIPT TURNED OFF, it should be possible to 'nuke out' what some of the hardware is that you have on your computer. That doesn't even include font embedding or other potential danger items. There have been vulnerabilities with web fonts in the past, after all.
it's like a potential side-channel attack. You know, like Meltdown and Spectre.
seriously isn't the USER-AGENT bad enough in external HTML requests? Only now, it's e-mail spam doing this (in particular, spammed malware). And THOSE are the people who will leverage it.
icon, because, paranoia (again)
Add in CSS and media queries and you've got a nice little device sniffer that tells the sender exactly what capabilities your device has
All you need is an MUA that renders external images and you have webbugs. You don't even need CSS for that one. (Or an MUA that respects the onerror event, though I'd hope that one which doesn't render external images also doesn't follow onerror.)
Of course, MUAs that respect CSS often provide other webbug channels, such as background-image.
And HTML emails make phishing a lot easier.
Good lord, AMP is such a blight.
""I have plenty of concerns about AMP, both technical and ethical," he wrote in a post on news aggregator Lobste.rs. "But when we joined the AMP trial, we immediately saw higher user engagement on our AMP pages."
In other words, he's making an "ends justify the means" argument. "Sure, AMP is fraught with technical and ethical problems, but it gets us more revenue, so everything's good!"
AMP in email? Whatever. Those emails will remain invisible to me -- I don't allow HTML rendering or any automatic accessing of any outside data (even from the same place as the email was sent from).
"BEFORE any proper patches for Meltdown and Spectre"
That's weird. I was under the distinct impression that the timer resolution making those exploits possible has been not so much reduced but rather obliterated in Palemoon specifically, and that the other browsers also did more or less the same thing already. What exactly are you on about...?
I was under the distinct impression that the timer resolution making those exploits possible has been not so much reduced but rather obliterated in Palemoon specifically, and that the other browsers also did more or less the same thing already.
There are many timing channels for Javascript. Eliminating them all is probably infeasible (without crippling Javascript, and users willing to do that are already blocking it). There's ample research on this, and I've posted a link to the best-known paper before, if you want to search for details.
I don't believe I've seen a Javascript Meltdown exploit. Meltdown is a subset of the Spectre class, but all the Javascript Spectre exploits I've seen have been reading unprivileged data.
"the timer resolution making those exploits possible has been not so much reduced but rather obliterated in Palemoon specifically, and that the other browsers also did more or less the same thing already"
or so they say...
but the thing is, it doesn't eliminate the potential threat. It helps to mitigate what we currently know about the proof of concept algorithm. It is still possible, if you know enough about an OS or an application, to obtain information about it using a side-channel attack, if you repeat the operation sufficiently enough. I have personally used low resolution timers to check performance. if you test 10,000 operations with a timer that has 10msec or even 100msec accuracy, you can still determine how much time was spent doing those operations with reasonable accuracy. you won't be able to time a single operation, but you can time 10,000 of them. And THAT means an exploit will simply have to run LONGER to get a meaningful result, and target what it looks at a bit more carefully.
Google claims AMP is fast for mobile platforms.
Know what's even faster than that? Google simply not permitting advertisers to deliver dynamic content- that no user, in the history of the world, has ever wanted or needed to see- in ads. Guess we'll see that happening, oh, the next never or so.
>Know what's even faster than that? Google simply not permitting advertisers to deliver dynamic content- that no user, in the history of the world, has ever wanted or needed to see- in ads.
The user is not the customer, though, the advertisers are. Google will implement features that advertisers want until the consumers walk away.
Or written by teenagers who who have never seen a PC get owned by email
Or, judging by my nephew (mid 20's), never using the email client on his PC or phone, preferring to instead use webmail.
Which is why I get queries on the (rare) occasion that my webmail server drops out.
If you have to use Google search, use encrypted.google.com instead - I see no AMP (thanks timecop1818)
> Had I been given that tip earlier, my life might be entirely different. I find AMP to be such a usability nightmare that I switched to Bing. No, really.
Yeah, thankfully this news story prompted me to decide I should pull my finger out and actually do something about it (especially as I follow a lot of news links from Twitter). So I've updated my adblock list (to block the AMP JS - particularly amp-ads) and created a Greasemonkey/Tampermonkey script to detect AMP pages and send me to the canonical URL instead: Remove AMP from my browsing
I have Gmail set to deliver mail to my email client via IMAP. My email client is not a web browser. I have turned HTML and such off. I will never see their dancing ads. Should Google try to get around this, by, oh, giving static sending email using IMAP to my email client, I will kill my Gmail accounts.
Jsu to confirm what you're saying because I think you know more about this than I do.
This AMP thing only happens (at the moment) if viewed through a web browser which allows javascript to run. If an email client is set to display pages in html, with external content disabled (default for Outlook, Safari etc) would you get the AMP content or not?
That would depend on the email client. Some don't do JavaScript at all, some can do JavaScript but might have problems with AMP. Some can do just about everything that a web browser can do. I avoid the question by just turning off everything which isn't plain text and basic attachments. No viewing pix or PDFs in the mail, I _must_ download the attachment... if I feel like it. It's amazing how often I don't feel like it. Doing things this way means that macros and such cannot run until I download the attachment and open it with the appropriate application,which I do only in certain very specific circumstances. It means that .EXEs are instantly visible. It makes things difficult for phishers and other fraudsters. It also exposes the kind of person who insists on using HTML and JS tricks to tart up email in an. attempt to hide the fact that they're useless gits. All that I see is the plain text, no pix, no colors, no singing, no dancing, just the text. There would be a reason why I hate webmail and decline to use it.
Please, Google, once you have got this AMP malarky running smoothly in Gmail, can you roll out ActiveX and Flash in email too? In fact, why not make native code run as well, straight over email, it would be super neat. Even greater would be if we didn't have to click on anything before it ran either, that's such a drag.
"In fact, why not make native code run as well, straight over email, it would be super neat."
Outlook used to have that feature, you could embed a sound file in your mail which would then be saved to disk and played... even if it had the extension .exe. (Explanation: The Windows API-Call to play a sound internally maps to the API-call to execute a program. So you could convince Outlook that it's a sound via the MIME-Type, but effectively you could send a native program.)
AMP is causing higher user engagement presumably because you can't turn the sodding thing off in search results. I have no choice but to click on an AMP page most of the time these days because the regular page has been hidden somewhere. I always click on the link button at the top to open the page on the publishers site in the vain hope that others are doing it immediately and it shows up in their stats somehow.
Flashy you say? As Google lead so El Reg should follow. Can we have the blink tag enabled in comments please? Pretty please... You know it makes sense!
Do you think that marketing departments the world over are nostalgic for Geocities? As it seems many companies are trying to turn their sites into Geocities with extra pictures.
MY EYES!!!!!
Wrote to a national newspaper warning them that AMP easily lets users bypass their whole Paywall. (Disable-JS-Tweak-URL / View-Source within Browser etc). Their response... Its a deliberate feature of AMP and not a security hole from a business perspective. WTF, can someone explain that?
When AMP was launched very high level people in Google - Sundar and Eric - went round the large newspapers CEOs, who had at this point mostly rejected AMP as harmful to their business, at the Davos summit. They pointed out that papers adopting AMP would be candidates for a significant share of the €150 million funding under the Google Digital News Initiative. They also pointed out that AMP pages, being faster, would get promoted in Google search above those that didn't adopt. There were also some concessions around sharing users data to make it less of a closed Google option.
That combination of carrot and stick changed the minds of the CEOs.
Malte Ubl, engineering lead for AMP at Google, said over 31 million domains have created 5 million AMP pages since the technology debuted in early 2016.
31 million domains create 5 million pages that means that 5 out of 6 domains didn't produce an AMP page meaning only 16% take up at best (assuming 1 page per domain).
I wondered what the heck had happened at the BBC this last year or so.. this requiring a sign-in malarkey for every durned thing, I contacted the Beeb to ask why they were requiring a login in order for folks to use iPlayer when they hadn't for years, and they deliberately ignored my point and woffled on about 'personalisation' etc. SoI asked why one shouldn't be able to use iplayer exactly as before (ie: without signing in) if one doesnt want to have a 'personalised' experience, and they ignored that too. And I see that now teh buggers are requiring a login for the weather page if you want it to remember more than one location. And no response whatsoever to my pointing out that any large database will inevitably leak and/or get hacked.
Well, sod that - so I'm going TV-licence free, havent watched TV in months, and can't use iplayer now anyway ('cause I refuse to set up an account). But at least now I know what's happened at the Beeb - Aunty has been swept off her feet by a large supply of chocolates and is hooking up with a paramour that'll break her heart whenever Google wishes.
Sigh. This future world's more shite than I'd've expected back in proper time. Can I go back to my own timeline now, please? :-}
(exit stage left to the proper universe, whilst old biddy mutter-grumbling)
And I see that now teh buggers are requiring a login for the weather page if you want it to remember more than one location.
But why would anybody now want to use the BBC weather pages? They've made such a total fucking disaster with the recent redesign (and the BBC weather app) that there's far better alternative almost anywhere else.
This is the problem with the BBC right through - they are so busy "knowing best" that they simply don't see the world from licence-fee payers' perspective. And that's at a UI level, a broadcast content level, at a political & values level, and at a technology level.
as long as I can "sign in" with a 10minutemail.com e-mail address, it mitigates some of the problem (but not all) of a typical "sign up to view content" identity-slurping site.
[it's not like they don't already know my IP address, USER-AGENT string, and what time of day I'm hitting their web site at]
"But why would anybody now want to use the BBC weather pages? They've made such a total fucking disaster with the recent redesign "
IMHO, the last redesign was the one that broke the weather. A national view or a local, 20 or so mile radius was useless to me. I drive a lot. Most days at least 50 miles from home, sometimes as much as 250. I like being able to zoom in and out and see what the weather is likely to be doing at home, where I'm going and the bits in-between. It also means I don't need multiple "favourites" so don't need an account.
I think the BBC got so fed up of the criticism that they got for doing a good job and dominating news, sport and weather that they just decided to give up. And then there was that whole "we've got loads of video, let's force it on people whether they want it or not" redesign.
Stupid ideas like introducing hot desking, moving to Salford and equal pay for the useless and the competent didn't help retain the good staff.
Most of the people who did the good work have gone now and headed over to News International.
...has become a battleground where advertisers, media men, political propagandists and (other) criminals vie to take over my communication space to try and sell me solutions that don't work, to problems I don't have, for money I haven't got, either.
And the real issues remain completely unaddressed.
Whatever happened to working, for a living?
Seriously, why do you need html in email? Why do you need this carp? Why do the "modern" email programs have problems with the correct way of quoting the message you reply to? I usually do not top-quote, which leads to messages being shown as blank...
I want elm back ;p (on the cell phones of my colleagues)
But not it seems most of the commentators here.
I count myself in the 'emails should only contain ascii - not formatted text, not html, and certainly not animations'. But then, I am very old and probably don't understand what the young'ns want from their advertisers, er, correspondents.
I count myself in the 'emails should only contain ascii - not formatted text, not html, and certainly not animations'.
Exactly. One of the motivations for AMP in email is, apparently, ''load faster, particularly on resource-constrained, bandwidth-limited mobile devices''. So how about junking all the HTML and CSS - send just plain text.
Email is a message, I read it for the information that it contains, I am not interested in fonts or pretty colours. I want to be able to store it on my PC & I certainly don't want it to show me something different the next time that I look at it.
To be fair, even traditional mail included occasionally things that weren't strictly letters - postcards, illustrated catalogues etc. Much of that may have always been spam to many, but not to all - believe it or not, I often find occasional full-graphic "now on sale" ad-mails from some of the specialized sites I actually shop at actually rather useful (ie. random stuff from Amazon: not useful - shop selling only books and DVDs or RC hobby parts: potentially useful). Of course, this is NOT to endorse AMP in any sense, just to be clear, and I fully support anyone's choice who wants nothing but text - I'd just like to counterbalance it by pointing out that for at least some of us "text only (not even HTML)" is not one but several bridges too far.
Grow up - if you exclude style formatting you can't view tabular data nicely for one - design and layout are there to make things easier to read and comprehend.
Though I agree that's all that HMTL email should allow.
Anyway Microsoft Outlook won't adopt any of this for at least 20 years.
"monospace is fine for tabulating. In fact its a lot better than shit HTML"
Monospace has the further advantage that where "111.11" is displayed above "888.88", the individual digits display in the correct places.
Proportional fonts really aren't very good for displaying lists of more than one part or account number.
" if you exclude style formatting you can't view tabular data nicely for one"
If you want to send actual documents where this sort of thing is important, then attach a such a document. It's more useful that way anyhow, as people can view and manipulate it in an appropriate application rather than half-assing it in HTML. Don't pollute email with this crap.
simple/no-HTML newsreader should be a requirement.
I regularly ridicule people who insist on posting HTML content to USENET. One time I carefully constructed a USENET post [took some actual time] that had radically different content for the plain-text and HTML versions, basically ridiculing the asshat that thought HTML posts to USENET were so awesome. [this person also loves Win-10-nic, so there you go].
My initial motivation for installing an adblocker on my browser, followed by a script manager was those flash ads which would scroll across the screen with video and sound as soon as you scrolled down the page. El Reg was actually one of the worst offenders.
Any singing, dancing email messages will get AMP turned off and serious consideration given to ending email privileges for certain merchants of my acquaintance.
I recently bought a cheep and cheerful pair of shoes from a bricks and mortar shop and got a scratch card with it which revealed a code, put it in at shoe emporium dotcom. To complete this process there was a button to confirm conditions acceptance AND membership of their email list, naughty, naughty. I unsubscribed at first opportunity and left them admonishment on their web page.
Bad behaviour is common, more common than it should be. It would seem the risk of being caught is low and the sanctions not worrying enough.
> Any singing, dancing email messages will get AMP turned off
What, based on AMP for Web, gives you any inclinatiom there's going to be an option to disable this heap o' shite?
Plenty of 'users' have asked for a way to globally opt out of AMP. It's not been forthcoming.
They're almost certainly going to go out of their way to shove this heap as far down our throats as possible.
About the best you'll be able to do is reply to say you can't read their email and could they please resend as plain text. Almost back to the days of eejits sending everything as a word attachment.
"Having pages actually laid out nicely for mobile consumption is nice"
In theory, sure. In practice, I rarely see it done in a way that doesn't degrade the usefulness of the page. In the past, I'd been able to work around this by spoofing the browser ID to tell the server I'm using a desktop -- but with the increasing use of "responsive" web design, this has lost much of its effectiveness. So now, I don't browse the web on mobile devices unless there's a huge immediate need to do so.
"So the plaintiff claims the abused sent her a lewd video with her face edited into a sex act, along with a blackmail demand for sex or $10,000 to delete the file?"
"Yes, m'Lud."
"But when you, the plaintiff's attorney, opened the AMP email, the video showed only a dancing cat?"
"Yes, m'Lud"
"May I?" [His Lordship reaches for the smartphone]
>tap< >swipe< >tappity<
"Ah, here we are... Now it's trying to sell me a cheap holiday. Is this all the evidence you have?"
" . "
25 years ago a had to submit an IT project (as a website) to two different lectures for marking, the one of the Computer Science School insisted that text uses the "blink" function or I would fail and the one from "Digital Art and Design" department instead that I would fail if I used "Blink".
But since we keep seeing articles about PC's being vulnerable malicious code in in.PGN and.JPG then we can assume all our emails will have Bitcoin mining mail ware on them from now on in the form of a dancing chicken.
I'm with the rest of you. I use Amazon workmail for my personal (and my family's) accounts, through my own domain and the web-interface disables anything but plain-text by default. Makes it easier to weed out shit I'm not interested in, if the message looks garbled with loads of tags visible it generally gets junked.
I've also set up my Outlook client for work to send/receive in plain-text only, despite occasionally getting stick from the boss for not slapping the massive "branding" images and various bullshit social media links in my signature. I just point out that HTML e-mails are a security risk and I count disabling that shit under the category of "being a good neighbour".
I have many rules set up to block parts of this site to make it tolerable for me, such as the masthead, that annoying sticky menu I've never used, all images (yes really), that right hand column, the social buttons etc. To have ublock origin do this I can't whitelist the site so the ads get blocked too.
This has been asked before but not answered: How much revenue do you make if I read roughly a third of the articles you publish and never click on an ad? I'd probably be happy to donate that amount to you and continue reading the site as I want to.
Crazy
:Top
for %i=Javascript, Java, ActiveX, Dcom, "Code in Emails", Cocane, Uranium, "other really dangerous things"
do Echo Years ago they said don't use %i because it can trash your system, then the next big thing came out.
When computers came out I said to myself it would be interesting to know how they worked, I learnt assembly thru MS debug,write batch files, People said they would save paper and be good for us.
Now I look at articles about the great big piles of mobile phones and other ewaste, I also see Australia cannot recycle it's paper glass and metal,
set PATH=Hell in a handbasket;%PATH%
Now I just observe the mess, wondering how we got to this point.
:Exit
We have *quite* enough problems at [RedactedCo] with the _normal_ trickle that manages to get past the spam filters. I really don't have enough bandwidth to write a content filter that drops anything AMP enabled, but sure as death and taxes, I'll do it if it keeps my mail servers from getting that much more larded up.
And before I read the article, I thought it was talking about Cisco's Advanced Malware Protection (AMP) which is already a feature on their security appliances....