Department of Defense Now Blocking HTML Email 262
oKAMi-InfoSec writes "The Department of Defense (DoD) has taken the step of blocking HTML-based email. They are also banning the use of Outlook Web Access email clients. The DoD is making this move because HTML messages can easily be infected with spyware and executable lines of code that enable hackers to access DoD networks, according to an article in Federal Computer Week by Bob Brewin . A spokesman for the Joint Task Force for Global Network Operations (JTF-GNO) claims that this is a response to an increased network threat condition. The network threat condition has risen from Information Condition 5 to Information Condition 4 (also called Infocon 4). InfoCon 5 is normal operating conditions and Infocon 4 comes as a result of 'continuing and sophisticated threats' against DoD Networks. The change to Infocon 4 came in mid-November, after the Naval War College suffered devastating attacks that required their entire system be taken offline, but the JTF-GNO spokesman claims there is no connection."
Good call (Score:5, Insightful)
As They Should (Score:5, Insightful)
I guess I should get back to chiseling my notes on stone slabs now.....
Better yet, just pitch all the email...... (Score:2, Insightful)
Although the focus is on Outlook, it seems like there's an outside chance there may be other clients and web interfaces (namely all of them) that are vulnerable to most of the same problems....
blocking is stupid (Score:1, Insightful)
however stripping HTML would be a better option as emails are usually sent as text/plain and text/html combined
blocking is just too drastic , perhaps IM would be a better option
Re:Stupid (Score:5, Insightful)
Up-to-date patches would mitigate those, but do you think somebody might be saving some zero-days for the DoD?
Re:I like some HTML email (Score:4, Insightful)
* what
* the
* hell
* is
* wrong
* with
* asterisks?
Re:Stupid (Score:1, Insightful)
Do you honestly think the DoD is going to move from a platform which supports every feature they currently utilize (I know, I am in the US Army) to one which doesnt have support for basic things like calendaring, public folders, centralized rules administration, and various other features that simply arent available in this "better solution"? Thunderbird is not ready for the enterprise, nor will it be anytime soon without support for exchange/domino connectivity.
I am all for using open source, but when it doesnt fit the bill, I am not afraid to say that it wont do the job. Thunderbird is good for home use, but for corporate use (especially in a large entity like the DoD), its just sub-standard and lacking in the necessary areas. The fact of the matter is that you cant even access an exchange server with T-Bird.
Re:Good! (Score:3, Insightful)
There's no excuse for it (Score:2, Insightful)
If you don't know how to use HTML, you shouldn't use it, period.
The HTML determines the rendering. (Score:4, Insightful)
Therefore, the digital signature will no longer reflect the "data" portion of the message and will be invalid.
Re:And the problem with this is? (Score:2, Insightful)
Re:As They Should (Score:3, Insightful)
Re:Doesn't that break digital signing? (Score:4, Insightful)
Re:I like some HTML email (Score:4, Insightful)
Re:Stupid (Score:3, Insightful)
My middle ground - both (Score:3, Insightful)
I read all my e-mail as "plain text". After all, HTML is plain-text too.
95% of the time that is all you need. Yeah, I can see they marked it italics or bold, but they are the same words.
If, after looking at the "raw" text, and I really think the formatting will convey some additional info, I might look at it as "html". Looking at the raw text gives you a pretty good idea if there is anything sinister about it.
In my experience, most HTML mail that "needs" HTML is junk mail, office jokes and the like.
Real business correspondence works on typed pages and plain text. No HTML needed to get your message across. Oh, but please do use a spell checker.
not entirely (Score:3, Insightful)
Outlook did me the favor the other day of removing the "extra" line breaks, screwing up the already limited formatting I was stuck with. People will get around this by attaching a Word or Excel document. So the bandwidth costs are only temporary, till they figure out how to get back the formatting capability they had. The search function will be severely limited, unless Outlook will search through attachments.
I think forcing plain text is a bit severe. I understand the vulnerabilities of HTML, but allowing a reduced subset of HTML function to provide for text formatting would be a better (as in more useful for the end user) option. If the IT folks are the only ones whose convenience is being considered, I guess plain text is fine, and for that matter we should still be using diskless VT terminals. I don't often use the "threw out the baby with the bathwater" cliche, but I think it fits here. Allowing tables and italics isn't going to kill us.