Proposal:TML. HTML without the 'H' for markind up mail, etc.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have often wanted to be able to use some kind of style feature in email, but understand the security consequences of using HTML. That got me to thinking about some kind of XML that could be conjoined with CSS (perhaps a restricted subset of CSS) to produce nicely styled, safe emails. Does anybody follow what I'm saying? Has anybody tried such a thing already? STH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFALoRUH2SF0i7rrGwRAmIXAJ9CdUyZMcvYTbRZelVwWreq1yvaLQCbBl2Q 3qYUxzQy7l5tlJcLNsmNc4o= =k/tc -----END PGP SIGNATURE-----
On Saturday 14 February 2004 8:25 pm, Steven T. Hatton wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I have often wanted to be able to use some kind of style feature in email, but understand the security consequences of using HTML. That got me to thinking about some kind of XML that could be conjoined with CSS (perhaps a restricted subset of CSS) to produce nicely styled, safe emails. Does anybody follow what I'm saying? Has anybody tried such a thing already?
STH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQFALoRUH2SF0i7rrGwRAmIXAJ9CdUyZMcvYTbRZelVwWreq1yvaLQCbBl2Q 3qYUxzQy7l5tlJcLNsmNc4o= =k/tc -----END PGP SIGNATURE-----
Yes, I understand whaat you are saying. Essentially a functional subset of HTML, restricted to formatting of text, without the capability to render buttons which do things and without the hypertext bit - ie linking to web pages. A question, how would Fred Miller on the OT list send us all those fascinating links? This is not meant as a show stopper - I like your idea, but I do think this one needs addressing for a more complete proposal. Vince
On Sat, 2004-02-14 at 20:54 +0000, Vince Littler wrote:
A question, how would Fred Miller on the OT list send us all those fascinating links?
Um, the way he is now? Those are just plain text emails. If you see a clickable link it's because it's detected by your mailer The problem (one of the problems) with links in html mail is that scammers do things like http://foo.com>bar.com</a>. You don't see the stuff inside the <a href> unless you're paying attention, and most Outlook users aren't.
On Saturday 14 February 2004 9:30 pm, Anders Johansson wrote:
On Sat, 2004-02-14 at 20:54 +0000, Vince Littler wrote:
A question, how would Fred Miller on the OT list send us all those fascinating links?
Um, the way he is now? Those are just plain text emails. If you see a clickable link it's because it's detected by your mailer
That is probably an answer
The problem (one of the problems) with links in html mail is that scammers do things like http://foo.com>bar.com</a>. You don't see the stuff inside the <a href> unless you're paying attention, and most Outlook users aren't.
This is definitely the problem
On Saturday 14 February 2004 12:19 pm, Vince Littler wrote:
On Saturday 14 February 2004 9:30 pm, Anders Johansson wrote:
On Sat, 2004-02-14 at 20:54 +0000, Vince Littler wrote:
A question, how would Fred Miller on the OT list send us all those fascinating links?
Um, the way he is now? Those are just plain text emails. If you see a clickable link it's because it's detected by your mailer
That is probably an answer
The problem (one of the problems) with links in html mail is that scammers do things like http://foo.com>bar.com</a>. You don't see the stuff inside the <a href> unless you're paying attention, and most Outlook users aren't.
This is definitely the problem
Why is this a problem? What does something like this: http://foo.com>bar.com</a> allow a scammer to do?? Curious, Jerome
On Saturday 14 February 2004 21:27, Jerome Lyles wrote:
On Saturday 14 February 2004 12:19 pm, Vince Littler wrote:
On Saturday 14 February 2004 9:30 pm, Anders Johansson wrote:
On Sat, 2004-02-14 at 20:54 +0000, Vince Littler wrote:
A question, how would Fred Miller on the OT list send us all those fascinating links?
Um, the way he is now? Those are just plain text emails. If you see a clickable link it's because it's detected by your mailer
That is probably an answer
The problem (one of the problems) with links in html mail is that scammers do things like http://foo.com>bar.com</a>. You don't see the stuff inside the <a href> unless you're paying attention, and most Outlook users aren't.
This is definitely the problem
Why is this a problem? What does something like this: http://foo.com>bar.com</a> allow a scammer to do?? Curious, Jerome
It can fool users into thinking they are being taken to FOO when in fact the link leads to BAR. (You gotta read closely). At BAR, all manor of evil code might be lurking. -- _____________________________________ John Andersen
On Sat, Feb 14, 2004 at 11:09:06PM -0900, John Andersen wrote: <snip>
Why is this a problem? What does something like this: http://foo.com>bar.com</a> allow a scammer to do?? Curious, Jerome
It can fool users into thinking they are being taken to FOO when in fact the link leads to BAR. (You gotta read closely). At BAR, all manor of evil code might be lurking.
FTR, it's the other way around: The user thinks he's going to the Bar, but ends up at FOO instead. Cheers ;) /Jon -- Whatever rocks your boat!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 15 February 2004 03:09 am, John Andersen wrote:
It can fool users into thinking they are being taken to FOO when in fact the link leads to BAR. (You gotta read closely). At BAR, all manor of evil code might be lurking.
-- _____________________________________ John Andersen
Yup, that is exactly the kind of shinanigan I want to preclude. None of this hidden file extension BS either. I don't even believe it should permit the user to launch an executable from the MUC. As far as images go, it's often the case that mailing lists don't like them, nor attachments. The mailing list could provide a profile in the headers which the client could suck in when the list is joined. When you compose messages to the list, you would be restricted by the rules of the list. The same might go for regular users who you have already received mail from. In that cased I would propose a manual override and let the rudeness be the responsibility of the user. I say this because some people who send you mail might be clueless as to what they are restricting. Obvious options would be available to the recipeant of such an override, e.g. a pop-up asking if you want to accept whatever feature they overrode. I'm mostly talking about text size, color, style, and perhaps font type. Also, I'm not really talking about HTML-ite. HTML screwed up the intended separation between semantic markup and style. I'm suggesting it be done right. That is, style would be in css, tagging would be in TML. There should be reasonable default styles available, and the ability to send your own style as part of the message document. STH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFAL0PmH2SF0i7rrGwRAqTbAJ9EcZyaPRpE8pKBXMLspfAogEK/wQCfVz1z fW+VI2QfKdNUGqHqUY4PKfw= =djPd -----END PGP SIGNATURE-----
The problem (one of the problems) with links in html mail is that scammers do things like http://foo.com>bar.com</a>. You don't see the stuff inside the <a href> unless you're paying attention, and most Outlook users aren't.
This is definitely the problem
Why is this a problem? What does something like this: http://foo.com>bar.com</a> allow a scammer to do?? Curious, Jerome
He was pointing out that the person using outlook would see a link to bar.com but would actually go to foo.com. Ken
On Saturday 14 February 2004 11:25, Steven T. Hatton wrote:
I have often wanted to be able to use some kind of style feature in email, but understand the security consequences of using HTML. That got me to thinking about some kind of XML that could be conjoined with CSS (perhaps a restricted subset of CSS) to produce nicely styled, safe emails. Does anybody follow what I'm saying? Has anybody tried such a thing already?
STH
I think you mis-understand the objection to html in email. It is not objectionable ONLY because of security issues, but also due to the bulk it imposes on the email itself, and the fact that it is not universally readable (such as when non-graphical mail readers are used). So comeing up with a non html solution solves only one minor aspect of the problem. It is after all, mostly a Microsoft problem of offering mail readers that can not be made secure. Kmail can be easily locked down and set up to never honor Html and security is then enhanced. But in spite of the security, Size, and universal accessability issues there is ALSO the sheer annoyance factor of having to put up with someone's wild and crazy ideas of formating, Fonts, Colors, backgrounds. A growing number of people reject the idea that anyone with a keyboard and a modem gets to determine what appears on someone elses screen. The beauty of plain text is that ideas stand by themselves. People who absolutely need formatting, (such as for sending reports or complex printed pages) etc have plenty of generally trusted formats such as pdf to use (as attachments). These are (and rightly should be) easily filterable against the day an exploit is found in the format. So I ask, will the free exchange of Ideas and discussion be enhanced in any meaningfull way if you succeed in developing a new style/graphic format that resolves security issues? I suspect not, but that's just me... -- _____________________________________ John Andersen
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 14 February 2004 04:03 pm, John Andersen wrote:
On Saturday 14 February 2004 11:25, Steven T. Hatton wrote:
I have often wanted to be able to use some kind of style feature in email, but understand the security consequences of using HTML. That got me to thinking about some kind of XML that could be conjoined with CSS (perhaps a restricted subset of CSS) to produce nicely styled, safe emails. Does anybody follow what I'm saying? Has anybody tried such a thing already?
STH
I think you mis-understand the objection to html in email.
It is not objectionable ONLY because of security issues, but also due to the bulk it imposes on the email itself,
I think the bulk is a non-issue. It could be compressed to the point it is completely negligible. Also, with the increased speed of the net, doubling the size of text messages would not have much impact on download times, etc. Now, if this were to support images as well as typographical markup, that could increase the bulk significantly.
and the fact that it is not universally readable (such as when non-graphical mail readers are used).
UTF-8 has similar problems. As for typographical markup, that can be handled on a tty console in a way similar to lynx. Sure there would be a transition period, and there would always be a few clients which didn't adapt the technology. One big problem I see is that of handling replies that are constructed of a excerpts from previous mails, such as this one.
So comeing up with a non html solution solves only one minor aspect of the problem. It is after all, mostly a Microsoft problem of offering mail readers that can not be made secure.
I was seriously wonder if a class action against MS for gross negligence in the security area would be sustainable. My mail server is hit by an incredible amount of suff that is clearly MS propagated Trojan horses or viruses.
Kmail can be easily locked down and set up to never honor Html and security is then enhanced.
One problem with HTML is the fact that it can force a load of external content if it is fully enabled. That is something that should not be supported. And any actual links should be clearly identifiable as such by the non-technical user.
But in spite of the security, Size, and universal accessability issues there is ALSO the sheer annoyance factor of having to put up with someone's wild and crazy ideas of formating, Fonts, Colors, backgrounds.
Personally, I find the ability to markup text very powerful when expressing myself in written form. Just today I received a message on this list that was intended to be viewed as fixed width in one particular area. It would have been nice if the author could have included a simple <code> tag, or something to indicate what kind of content it held.
A growing number of people reject the idea that anyone with a keyboard and a modem gets to determine what appears on someone elses screen.
The kind of functionality I'm thinking of could probably be turned off with only limited impact on the actual content. I'm really not aware of a growing number of people actively fighting to precent someone form italicizing words in their sentences. Or providing color coded text. I believe the real concern is that 12-year-olds are being exposed to objectionable material.
The beauty of plain text is that ideas stand by themselves.
The beauty of syntax highlighting is that different ideas stand out, and are easily identified.
So I ask, will the free exchange of Ideas and discussion be enhanced in any meaningfull way if you succeed in developing a new style/graphic format that resolves security issues?
I suspect not, but that's just me... -- _____________________________________ John Andersen
That's what people used to say when we argued for better GUIs in Linux, back when Only a few dozed or so people could even spell KDE. Certainly there are potential problems, but there used to be mailing list that required all text to be ascii-7. I don't know if that still applied to the Mathematica list, but it did two years ago. STH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFALqHEH2SF0i7rrGwRAsTjAJ44SDCK5aM8ZBdz7DBLCsiguBe11QCgwTKb dRKNC7zcLyM+LHJnJoDUG7c= =ljOa -----END PGP SIGNATURE-----
On Sat, Feb 14, 2004 at 05:31:27PM -0500, Steven T. Hatton wrote:
I think the bulk is a non-issue.
Bulk *is* an issue. For a list such as this with several thousand subscribers, every bit is multiplied that many times. I may, economically, afford to fire up my (imaginary) 2.5 ton SUV to go down to the corner and get a pint of milk. But when everyone does that, problems arise; Finding a spot to park, etc... Not to mention the ecological issues... <snip>
But in spite of the security, Size, and universal accessability issues there is ALSO the sheer annoyance factor of having to put up with someone's wild and crazy ideas of formating, Fonts, Colors, backgrounds.
Amen.
Personally, I find the ability to markup text very powerful when expressing myself in written form. Just today I received a message on this list that was intended to be viewed as fixed width in one particular area. It would have been nice if the author could have included a simple <code> tag, or something to indicate what kind of content it held.
Agreed, although I believe the resposibility lies with the reader to review the information at hand, before subjecting his/her system to $COMMAND. <snip>
The beauty of plain text is that ideas stand by themselves.
The beauty of syntax highlighting is that different ideas stand out, and are easily identified.
Which compels me to suggest asking the developers of GUI mailers to adopt the 'syntax highlighting' that Mutt provides. IMO the introduction of YaML is the not solution... /Jon -- Whatever rocks your boat!
Sun, 15 Feb 2004, by jon@stevnsgade.dk:
On Sat, Feb 14, 2004 at 05:31:27PM -0500, Steven T. Hatton wrote: [..]
The beauty of syntax highlighting is that different ideas stand out, and are easily identified.
Which compels me to suggest asking the developers of GUI mailers to adopt the 'syntax highlighting' that Mutt provides.
When I use _yada_, /yada/ or *yada* in Mozilla it makes nice underscored, slanted and bold text from the text inside the markers, I wouldn't know what more to ask for. Certainly red, 24 point, blinking text like my colleagues send doesn't make me jump higher.. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 27N , 4 29 45E. SUSE 8.2 Kernel k_athlon-2.4.20 See headers for PGP/GPG info.
On Sunday 15 February 2004 04:05, Theo v. Werkhoven wrote:
The beauty of syntax highlighting is that different ideas stand out, and are
easily identified.
Which compels me to suggest asking the developers of GUI mailers to adopt the 'syntax highlighting' that Mutt provides.
When I use _yada_, /yada/ or *yada* in Mozilla it makes nice underscored, slanted and bold text from the text inside the markers, I wouldn't know what more to ask for. Certainly red, 24 point, blinking text like my colleagues send doesn't make me jump higher..
Theo
Well said. People who have difficulty expressing an idea without color, blinking text, tripple bold, underline, should READ more to find out how others get points across. The written word, and standard language markup, have served mankind well for thousands of years. Would any of the great writers be better with bold and blinking text. My take on this, is even if all the Technical problems were solved it would still be a bad idea. I have all my email readers set to text only, and those messages with no plain text component go straight to trash. My feeling is that if the writer can not take the time to put his/her thoughts down in plain text, then they probably have nothing to say that could not be said via an instant message. About here is where some will be tempted to replay with a huge "bullshit" in 72point Red, Blinking, Underlined, Arial Extra Bold font on a background of solid brown, and a border of fancy green lace with inlayed images of raised middle fingers. ;-) Plain text protects me from all but the essential content of that. -- _____________________________________ John Andersen
On Saturday 14 February 2004 09:03 pm, John Andersen wrote [replying to Saturday 14 February 2004 11:25, Steven T. Hatton]:
I think you mis-understand the objection to html in email.
It is not objectionable ONLY because of security issues, but also due to the bulk it imposes on the email itself, and the fact that it is not universally readable (such as when non-graphical mail readers are used).
Bulk is less of an issue these days. For me, the real objection to HTML mail is that there is no standard which supports it. Hence when someone takes it into their head 'wouldn't it be cool to do email in HTML', you end up with a population of a variety of different clients which might or might not support it, and in the old days, when I had clients which did not support it, I just used to see markup, which I thought was just ill mannered [on the part of the sender and commercial bullying on the part of the sender's email client supplier] - to the extent that to this day I do not respect the senders of HTML mail. The other issue with no standard for HTML in email, is that the issues which Steven is trying to address are not addressed. HTML is not a complete standard for Markup in email, and until there is such a standard, HTML mail clients are premature.
But in spite of the security, Size, and universal accessability issues there is ALSO the sheer annoyance factor of having to put up with someone's wild and crazy ideas of formating, Fonts, Colors, backgrounds.
A growing number of people reject the idea that anyone with a keyboard and a modem gets to determine what appears on someone elses screen.
The beauty of plain text is that ideas stand by themselves.
When you say 'The beauty of plain text is that ideas stand by themselves', you are putting substance above form, which I would agree with. However, when you say 'A growing number of people reject the idea that anyone with a keyboard and a modem gets to determine what appears on someone elses screen', you are missing the fact that regardless of the form of an email, the sender is allowed to project ideas into someone else's head. The OT list shows that there is far more potential to cause offence using plain ascii than ever you could with formatting.
People who absolutely need formatting, (such as for sending reports or complex printed pages) etc have plenty of generally trusted formats such as pdf to use (as attachments). These are (and rightly should be) easily filterable against the day an exploit is found in the format.
I may be wrong, but isn't pdf a proprietary format? I think the beauty of Steven's proposal is that the format should be simple enough to be open and demonstrably be as exploit proof as plain ascii, but allow more dimensions of expression. Vince
On Sunday 15 February 2004 01:52, Vince Littler wrote:
On Saturday 14 February 2004 09:03 pm, John Andersen wrote [replying to
Saturday 14 February 2004 11:25, Steven T. Hatton]:
I think you mis-understand the objection to html in email.
It is not objectionable ONLY because of security issues, but also due to the bulk it imposes on the email itself, and the fact that it is not universally readable (such as when non-graphical mail readers are used).
Bulk is less of an issue these days. ...snip
Try running a popular mailing list Vince, Bulk IS an issue.
The other issue with no standard for HTML in email, is that the issues which Steven is trying to address are not addressed. HTML is not a complete standard for Markup in email, and until there is such a standard, HTML mail clients are premature.
Html is more than complete enough for the needs of email. That's precisely the problem. The godawefull crap some people inflict on others just because the CAN is overkill.
But in spite of the security, Size, and universal accessability issues there is ALSO the sheer annoyance factor of having to put up with someone's wild and crazy ideas of formating, Fonts, Colors, backgrounds.
A growing number of people reject the idea that anyone with a keyboard and a modem gets to determine what appears on someone elses screen.
The beauty of plain text is that ideas stand by themselves.
When you say 'The beauty of plain text is that ideas stand by themselves', you are putting substance above form, which I would agree with.
Righto...
However, when you say 'A growing number of people reject the idea that anyone with a keyboard and a modem gets to determine what appears on someone elses screen', you are missing the fact that regardless of the form of an email, the sender is allowed to project ideas into someone else's head.
But we Invite the ideas when we open an email account, and (in the present case) subscribe to mailing lists. It's the trash that comes with the ideas that is insulting. If I send you a letter by post, and as soon as you opened the envelope five people sprang from nowhere and shouted several words of the message loudly while others rummaged thru your bookshelf and still others painted your walls you would no forget what I said in the letter (and probably never open another from me). In otherwords, elaborate mark up is COUNTERPRODUCTIVE. It does not aid the clear presentation of ideas. Well expressed Ideas do not need bold red blinking text. Poorly expressed Ideas can not be improved with bold red blinking. One can't make a silk purse out of a sow's ear, and attempts to do so always fail and annoy the sow.
The OT list shows that there is far more potential to cause offence using plain ascii than ever you could with formatting.
Now I think you are confusing form and substance here... ;-)
People who absolutely need formatting, (such as for sending reports or complex printed pages) etc have plenty of generally trusted formats such as pdf to use (as attachments).
I may be wrong, but isn't pdf a proprietary format?
Hard to say. I know every SuSE distro since 8.0 has had the ability to print to pdf. You can even edit pdfs with Kwrite I'm told.
I think the beauty of Steven's proposal is that the format should be simple enough to be open and demonstrably be as exploit proof as plain ascii, but allow more dimensions of expression.
If he would STOP there that would be find. But no one will. Give me bold, underline, and indentation management and I would be happy. But others would decide blinking text was essential, backbround images critical, and musical accompanyment really really nice... I like the Steven's Idea of css-driven presentation markup far better than the idea of html. As long as the tags are VERY limited, and unknown tags are simply dropped, and no backgrounds, attachments, musical presentation etc etc ad infinitum. -- _____________________________________ John Andersen
On Saturday 14 February 2004 15:25, Steven T. Hatton wrote:
I have often wanted to be able to use some kind of style feature in email, but understand the security consequences of using HTML. That got me to thinking about some kind of XML that could be conjoined with CSS (perhaps a restricted subset of CSS) to produce nicely styled, safe emails. Does anybody follow what I'm saying? Has anybody tried such a thing already?
STH
ascii works well
participants (9)
-
Anders Johansson -
Jerome Lyles -
John Andersen -
Jon Clausen -
Ken Schneider -
Steven T. Hatton -
Theo v. Werkhoven -
Tom Allison -
Vince Littler