I block email spam the sane way as amp spam.
Slow news day?????
Having last year axed its scanning of Gmail messages after years of withering privacy criticism, Google has decided to court controversy again in this area. Now it is extending its much-loved Accelerated Mobile Pages (AMP) technology to email inboxes. In a blog post on Tuesday, Gmail product manager Aakash Sahney announced …
I block email spam the sane way as amp spam.
Slow news day?????
Thanks for that insightful observation, anon.
I fucking love Google and post this kind of "don't worry about it, they're great" bollocks relentlessly whenever they are mentioned.
I wish I could up vote you a hundred more times. Since I can only give you one, I'll leave $100 with the barman to substitute. ... Now hand me the bowl of mixed party nuts & let me read my plain text email. =-)
I'll pass and stick with my "text-only" email
Some of us fondly remember the days of 7-bit ASCII emails. And have configured their email clients to do text-only and ignore this new-fangled penchant for all-singing, all-dancing, intrusive HTML.
Some people may find this appealing.
Not I. A hundred, thousand times not I.
Don't despair of humanity. Nobody asked for this, and nobody wants this. Except for marketing departments of course.
I would like to nominate this as "understatement of the week".
"Damn, the mentality of the "audience" these days if that's what they want."
Nobody wants it in their inbox, but the advertisers want it, and Google makes (almost) all it's money from advertisers, so...
Why would you think that there is an 'audience' for this?
The "audience" doesn't want it at all. It has been foisted upon them by Google, who are reacting to their customers demands (i.e. the people that pay for advertising) to let them do this kind of thing.
We're not the customers, as I'm sure you're aware.
We're the victims.
Yet ANOTHER reason to *NEVER* *VIEW* *MAIL* *AS* *HTML*.
because, scripting and style sheets are next. you KNOW it's coming! And embedded ADS in your e-mail, courtesy "whatever free e-mail service" you send/receive with.
Don't doubt me. Consider the following:
a) we can just block the web ads and still view the content
b) an operating system with ADS in it?
c) subscription-based OFFICE programs?
d) An annual fee just to use an OS?
I can see the possibility of click-through ads to view your e-mail (particularly with HTML mail viewers). Or, WORSE, click-through ads to SEND mail!
icon because paranoia
HTML is just HTML.
It's a page description language.
Just use a minimal HTML viewer that hasn't been written by bling addicts and that checks conformance of the input to standards. Because Langsec, you know.
Yeah, HTML is just HTML. Add in CSS and media queries and you've got a nice little device sniffer that tells the sender exactly what capabilities your device has. And that's just off the top of my head, the people who are good at this stuff will have hundreds of better, cleverer ideas.
I'm with the tin-foilers on this one!
I jusat upvoted an @BB post. I feel weird now. Whatever next? Cats living with dogs (been there, doing that), man living in peace with woman (also doing that).
Mac users liking Windows?
A step too far methinks.
click-through ads to SEND mail!
PS: which is one of the (many) reasons why I have my own mail server at home. Means paying for a commercial VDSL line but it's worth the cost.
Qmail, I think I love you.
Ah well, it looks as if my bogo filter will be getting another workout.
At the moment emails that don't have a clear text section in then never see anything other than the junk folder no matter how many offers I can't miss.
I think "minimal HTML viewer" meant one that only views content inline in the message. So inline CSS would be OK. Inline images would be OK. But I'm pretty sure the OP meant one that doesn't make any kind of outbound HTTP call when viewing the message.
"I jusat upvoted an @BB post"
Just think of me as a broken clock, being right twice a day.
Add in CSS and media queries and you've got a nice little device sniffer that tells the sender exactly what capabilities your device has
All you need is an MUA that renders external images and you have webbugs. You don't even need CSS for that one. (Or an MUA that respects the onerror event, though I'd hope that one which doesn't render external images also doesn't follow onerror.)
Of course, MUAs that respect CSS often provide other webbug channels, such as background-image.
And HTML emails make phishing a lot easier.
" I'm pretty sure the OP meant one that doesn't make any kind of outbound HTTP call when viewing the message."
that's one, but there are many things that style sheets can do that pose a potential problem. there's also HTML5 content (yes I really wanted to see that streaming video when I opened an e-mail) and things like that. But style sheets can have script-like behavior, too. They can get really large, and really complicated. And, of course, loading the style sheet across 'teh intarwebs' identifies YOU as the mail recipient, even if all it does is check to see that you have the latest version with a 'HEAD' request.
a style sheet can, for example, passively determine what your screen resolution is. Content that uses a particular style can then (theoretically) use this information to "phone home" that info on you. I forget the exact details on how it works, it has something to do with being able to manage auto-sizing column widths as one possible usage. I've actually worked on customer web pages that do this. Don't ask me HOW it works, it was confusing enough fixing the existing page so it would look right on a phone in portrait mode, or on a desktop or a 'slab' in landscape mode, with their varying aspect ratios and screen sizes [yes it works perfectly now!]. And I didn't have to change the style sheet - I embedded 'style' info into the HTML.
So using this information, indirectly determined from the style sheet setup, EVEN WITH SCRIPT TURNED OFF, it should be possible to 'nuke out' what some of the hardware is that you have on your computer. That doesn't even include font embedding or other potential danger items. There have been vulnerabilities with web fonts in the past, after all.
it's like a potential side-channel attack. You know, like Meltdown and Spectre.
seriously isn't the USER-AGENT bad enough in external HTML requests? Only now, it's e-mail spam doing this (in particular, spammed malware). And THOSE are the people who will leverage it.
icon, because, paranoia (again)
Good lord, AMP is such a blight.
""I have plenty of concerns about AMP, both technical and ethical," he wrote in a post on news aggregator Lobste.rs. "But when we joined the AMP trial, we immediately saw higher user engagement on our AMP pages."
In other words, he's making an "ends justify the means" argument. "Sure, AMP is fraught with technical and ethical problems, but it gets us more revenue, so everything's good!"
AMP in email? Whatever. Those emails will remain invisible to me -- I don't allow HTML rendering or any automatic accessing of any outside data (even from the same place as the email was sent from).
"AMP is such a blight"
Google claims AMP is fast for mobile platforms.
Know what's even faster than that? Google simply not permitting advertisers to deliver dynamic content- that no user, in the history of the world, has ever wanted or needed to see- in ads. Guess we'll see that happening, oh, the next never or so.
"BEFORE any proper patches for Meltdown and Spectre"
That's weird. I was under the distinct impression that the timer resolution making those exploits possible has been not so much reduced but rather obliterated in Palemoon specifically, and that the other browsers also did more or less the same thing already. What exactly are you on about...?
I think it's time to send an invoice email to the BBC, that turns into a request for Steve Wright to play "The Power Of Love" when opened a second time.
Email audit trails.. who needs 'em?
>Know what's even faster than that? Google simply not permitting advertisers to deliver dynamic content- that no user, in the history of the world, has ever wanted or needed to see- in ads.
The user is not the customer, though, the advertisers are. Google will implement features that advertisers want until the consumers walk away.
Maybe it won't be so bad as it looks like identifies itself with a custom tag. Apparently the spec requires either <html ⚡> or <htmp amp> so it should be simple enough to filter crap containing it to /dev/null.
I was under the distinct impression that the timer resolution making those exploits possible has been not so much reduced but rather obliterated in Palemoon specifically, and that the other browsers also did more or less the same thing already.
"the timer resolution making those exploits possible has been not so much reduced but rather obliterated in Palemoon specifically, and that the other browsers also did more or less the same thing already"
or so they say...
but the thing is, it doesn't eliminate the potential threat. It helps to mitigate what we currently know about the proof of concept algorithm. It is still possible, if you know enough about an OS or an application, to obtain information about it using a side-channel attack, if you repeat the operation sufficiently enough. I have personally used low resolution timers to check performance. if you test 10,000 operations with a timer that has 10msec or even 100msec accuracy, you can still determine how much time was spent doing those operations with reasonable accuracy. you won't be able to time a single operation, but you can time 10,000 of them. And THAT means an exploit will simply have to run LONGER to get a meaningful result, and target what it looks at a bit more carefully.
"we immediately saw higher user engagement on our AMP pages"
Because Google is preferentially boosting AMP results, leveraging the ignorance of its user base to force publishers to embrace lock in on Google's technology, dancing to Google's tune.
More likely targeting teenagers who have never seen a PC get owned by email
Yup - everyone desperately trying to find out how to turn that shit off.
Or written by teenagers who who have never seen a PC get owned by email.
Or written by teenagers who who have never seen a PC get owned by email
Or, judging by my nephew (mid 20's), never using the email client on his PC or phone, preferring to instead use webmail.
Which is why I get queries on the (rare) occasion that my webmail server drops out.
If you have to use Google search, use encrypted.google.com instead - I see no AMP (thanks timecop1818)
Problem is, Google Search is just one of the routes that takes you to AMP now. If you browse twitter from a phone, they'll now "helpfully" try and direct you to an AMP version when you click a link to an external site.
Had I been given that tip earlier, my life might be entirely different. I find AMP to be such a usability nightmare that I switched to Bing. No, really.
"I find AMP to be such a usability nightmare that I switched to Bing"
have you tried duckduckgo.com ?
> Had I been given that tip earlier, my life might be entirely different. I find AMP to be such a usability nightmare that I switched to Bing. No, really.
Yeah, thankfully this news story prompted me to decide I should pull my finger out and actually do something about it (especially as I follow a lot of news links from Twitter). So I've updated my adblock list (to block the AMP JS - particularly amp-ads) and created a Greasemonkey/Tampermonkey script to detect AMP pages and send me to the canonical URL instead: Remove AMP from my browsing
I have Gmail set to deliver mail to my email client via IMAP. My email client is not a web browser. I have turned HTML and such off. I will never see their dancing ads. Should Google try to get around this, by, oh, giving static sending email using IMAP to my email client, I will kill my Gmail accounts.
Jsu to confirm what you're saying because I think you know more about this than I do.
I find it appalling.
mmm more junk that gets blocked. Its not as if we dont have enough junk to block already.
What is it with companies wanting to use my servers resources for their junk. Its not as if spectre isnt helping with server loads as it is *sarcasm*.
Please, Google, once you have got this AMP malarky running smoothly in Gmail, can you roll out ActiveX and Flash in email too? In fact, why not make native code run as well, straight over email, it would be super neat. Even greater would be if we didn't have to click on anything before it ran either, that's such a drag.
That is some quality sarcasm! Nice!!
"In fact, why not make native code run as well, straight over email, it would be super neat."
Outlook used to have that feature, you could embed a sound file in your mail which would then be saved to disk and played... even if it had the extension .exe. (Explanation: The Windows API-Call to play a sound internally maps to the API-call to execute a program. So you could convince Outlook that it's a sound via the MIME-Type, but effectively you could send a native program.)
Which most of us considered a gaping security hole of the "What the FUCK were they thinking?!?" class, not a feature.
Biting the hand that feeds IT © 1998–2018