1. 7

  2. 2

    I’m posting this here with the “security” tag because it strikes me as an interesting, frequently underappreciated, side-channel in HTML email.

    1. 3

      It’s also a potentially interesting covert channel. I really like linguistic steganography techniques and there are a large number. For example, you can share a text advance and then substitute different homonyms from a table, with the index of substituted providing a value. Or you can displace punctuation and use the position to carry a signal. Or you can substitute misspellings in a copy-pasted text[1]. With HTML emails, you can probably do something similar with the position of <span>, for example. A typical client won’t differentiate between ‘Hello person, here is a message’ and ‘Hello person, here is a message’, and so you can probably hide messages entirely in invisible markup in entirely mundane emails. Someone reading the message will just assume that you’ve got a mail client with a crappy text editing widget (e.g. all of them), but if you view source you can extract the real message.

      Of course, like most steganographic techniques, it only works if the attacker doesn’t know what to look for. If I were really paranoid (and I do enjoy a good conspiracy theory, even if I don’t believe them) then I’d suggest that this is the reason HTML editing widgets in mail clients are so bad: Folks on the Outlook / Thunderbird / Apple Mail teams been doing this for decades and making sure the editors give them plausible deniability.

      [1] Slashdot used to have a lot of copy-pasta trolls and blocked them with a simple check to prevent people posting exactly the same message that had been pasted before. People got around this by making tiny tweaks to the message but I often wondered if anyone was embedding steganographic messages in these permutations. It would have been a great way of communicating anonymously: there were so many almost identical anonymous GNAA or ‘FreeBSD is Dying’ trolls that you could embed a short message in each one.