back to article Who wants dynamic dancing animations and code in their emails? Everyone! says Google

Having last year axed its scanning of Gmail messages after years of withering privacy criticism, Google has decided to court controversy again in this area. Now it is extending its much-loved Accelerated Mobile Pages (AMP) technology to email inboxes. In a blog post on Tuesday, Gmail product manager Aakash Sahney announced …

Anonymous Coward

Who cares

I block email spam the sane way as amp spam.

Slow news day?????

0
38
(Written by Reg staff) Silver badge

Re: Who cares

Thanks for that insightful observation, anon.

C.

49
1
Anonymous Coward

Who cares

I fucking love Google and post this kind of "don't worry about it, they're great" bollocks relentlessly whenever they are mentioned.

7
1
Silver badge

Singing, dancing ads in e-mail with javascript, 3rd-parties, etc. and that entails? No thanks. I'll pass and stick with my "text-only" email. Damn, the mentality of the "audience" these days if that's what they want.

98
0
Silver badge

At Mark 85, RE: plain text email.

I wish I could up vote you a hundred more times. Since I can only give you one, I'll leave $100 with the barman to substitute. ... Now hand me the bowl of mixed party nuts & let me read my plain text email. =-)

24
1
Silver badge

I'll pass and stick with my "text-only" email

Some of us fondly remember the days of 7-bit ASCII emails. And have configured their email clients to do text-only and ignore this new-fangled penchant for all-singing, all-dancing, intrusive HTML.

Some people may find this appealing.

Not I. A hundred, thousand times not I.

20
0
Gold badge

Don't despair of humanity. Nobody asked for this, and nobody wants this. Except for marketing departments of course.

12
0
Silver badge

Except for marketing departments of course.

The only possible response.

4
0
Silver badge
Facepalm

requires JavaScript loaded from a content delivery network, which isn't optimal in terms of security.

I would like to nominate this as "understatement of the week".

7
0
Silver badge

"Damn, the mentality of the "audience" these days if that's what they want."

Nobody wants it in their inbox, but the advertisers want it, and Google makes (almost) all it's money from advertisers, so...

Why would you think that there is an 'audience' for this?

4
0
Silver badge

The "audience" doesn't want it at all. It has been foisted upon them by Google, who are reacting to their customers demands (i.e. the people that pay for advertising) to let them do this kind of thing.

We're not the customers, as I'm sure you're aware.

We're the victims.

2
0
Silver badge
Black Helicopters

Yet ANOTHER reason!

Yet ANOTHER reason to *NEVER* *VIEW* *MAIL* *AS* *HTML*.

because, scripting and style sheets are next. you KNOW it's coming! And embedded ADS in your e-mail, courtesy "whatever free e-mail service" you send/receive with.

Don't doubt me. Consider the following:

a) we can just block the web ads and still view the content

b) an operating system with ADS in it?

c) subscription-based OFFICE programs?

d) An annual fee just to use an OS?

I can see the possibility of click-through ads to view your e-mail (particularly with HTML mail viewers). Or, WORSE, click-through ads to SEND mail!

icon because paranoia

56
2
Silver badge
Windows

Re: Yet ANOTHER reason!

HTML is just HTML.

It's a page description language.

Now, embedded Javascript, you don't want for sure.

Just use a minimal HTML viewer that hasn't been written by bling addicts and that checks conformance of the input to standards. Because Langsec, you know.

13
3
Silver badge

Re: Yet ANOTHER reason!

Yeah, HTML is just HTML. Add in CSS and media queries and you've got a nice little device sniffer that tells the sender exactly what capabilities your device has. And that's just off the top of my head, the people who are good at this stuff will have hundreds of better, cleverer ideas.

I'm with the tin-foilers on this one!

32
0
Silver badge

Re: Yet ANOTHER reason!

I jusat upvoted an @BB post. I feel weird now. Whatever next? Cats living with dogs (been there, doing that), man living in peace with woman (also doing that).

Mac users liking Windows?

A step too far methinks.

10
0
Silver badge

Re: Yet ANOTHER reason!

click-through ads to SEND mail!

PS: which is one of the (many) reasons why I have my own mail server at home. Means paying for a commercial VDSL line but it's worth the cost.

Qmail, I think I love you.

8
0
Silver badge

Re: Yet ANOTHER reason!

Ah well, it looks as if my bogo filter will be getting another workout.

At the moment emails that don't have a clear text section in then never see anything other than the junk folder no matter how many offers I can't miss.

0
0

Re: Yet ANOTHER reason!

I think "minimal HTML viewer" meant one that only views content inline in the message. So inline CSS would be OK. Inline images would be OK. But I'm pretty sure the OP meant one that doesn't make any kind of outbound HTTP call when viewing the message.

1
0
Silver badge
Devil

Re: Yet ANOTHER reason!

"I jusat upvoted an @BB post"

Just think of me as a broken clock, being right twice a day.

2
1
Silver badge

Re: Yet ANOTHER reason!

Add in CSS and media queries and you've got a nice little device sniffer that tells the sender exactly what capabilities your device has

All you need is an MUA that renders external images and you have webbugs. You don't even need CSS for that one. (Or an MUA that respects the onerror event, though I'd hope that one which doesn't render external images also doesn't follow onerror.)

Of course, MUAs that respect CSS often provide other webbug channels, such as background-image.

And HTML emails make phishing a lot easier.

2
0
Silver badge
Black Helicopters

Re: Yet ANOTHER reason!

" I'm pretty sure the OP meant one that doesn't make any kind of outbound HTTP call when viewing the message."

that's one, but there are many things that style sheets can do that pose a potential problem. there's also HTML5 content (yes I really wanted to see that streaming video when I opened an e-mail) and things like that. But style sheets can have script-like behavior, too. They can get really large, and really complicated. And, of course, loading the style sheet across 'teh intarwebs' identifies YOU as the mail recipient, even if all it does is check to see that you have the latest version with a 'HEAD' request.

a style sheet can, for example, passively determine what your screen resolution is. Content that uses a particular style can then (theoretically) use this information to "phone home" that info on you. I forget the exact details on how it works, it has something to do with being able to manage auto-sizing column widths as one possible usage. I've actually worked on customer web pages that do this. Don't ask me HOW it works, it was confusing enough fixing the existing page so it would look right on a phone in portrait mode, or on a desktop or a 'slab' in landscape mode, with their varying aspect ratios and screen sizes [yes it works perfectly now!]. And I didn't have to change the style sheet - I embedded 'style' info into the HTML.

So using this information, indirectly determined from the style sheet setup, EVEN WITH SCRIPT TURNED OFF, it should be possible to 'nuke out' what some of the hardware is that you have on your computer. That doesn't even include font embedding or other potential danger items. There have been vulnerabilities with web fonts in the past, after all.

it's like a potential side-channel attack. You know, like Meltdown and Spectre.

seriously isn't the USER-AGENT bad enough in external HTML requests? Only now, it's e-mail spam doing this (in particular, spammed malware). And THOSE are the people who will leverage it.

icon, because, paranoia (again)

1
0
Silver badge

Ends-Means

Good lord, AMP is such a blight.

""I have plenty of concerns about AMP, both technical and ethical," he wrote in a post on news aggregator Lobste.rs. "But when we joined the AMP trial, we immediately saw higher user engagement on our AMP pages."

In other words, he's making an "ends justify the means" argument. "Sure, AMP is fraught with technical and ethical problems, but it gets us more revenue, so everything's good!"

AMP in email? Whatever. Those emails will remain invisible to me -- I don't allow HTML rendering or any automatic accessing of any outside data (even from the same place as the email was sent from).

29
0
Silver badge
Alert

Re: Ends-Means

"AMP is such a blight"

And they announce the desire to release this crap, BEFORE any proper patches for Meltdown and Spectre, knowing FULL WELL that javascript proof of concept for these exploits already exists...

16
2
Silver badge

Re: Ends-Means

Google claims AMP is fast for mobile platforms.

Know what's even faster than that? Google simply not permitting advertisers to deliver dynamic content- that no user, in the history of the world, has ever wanted or needed to see- in ads. Guess we'll see that happening, oh, the next never or so.

26
0
Silver badge

Re: Ends-Means

"BEFORE any proper patches for Meltdown and Spectre"

That's weird. I was under the distinct impression that the timer resolution making those exploits possible has been not so much reduced but rather obliterated in Palemoon specifically, and that the other browsers also did more or less the same thing already. What exactly are you on about...?

0
0
Silver badge

Re: Ends-Means

I think it's time to send an invoice email to the BBC, that turns into a request for Steve Wright to play "The Power Of Love" when opened a second time.

Email audit trails.. who needs 'em?

3
0

Re: Ends-Means

>Know what's even faster than that? Google simply not permitting advertisers to deliver dynamic content- that no user, in the history of the world, has ever wanted or needed to see- in ads.

The user is not the customer, though, the advertisers are. Google will implement features that advertisers want until the consumers walk away.

2
0
Silver badge

Re: Ends-Means

Maybe it won't be so bad as it looks like identifies itself with a custom tag. Apparently the spec requires either <html ⚡> or <htmp amp> so it should be simple enough to filter crap containing it to /dev/null.

0
0
Silver badge

Re: Ends-Means

I was under the distinct impression that the timer resolution making those exploits possible has been not so much reduced but rather obliterated in Palemoon specifically, and that the other browsers also did more or less the same thing already.

There are many timing channels for Javascript. Eliminating them all is probably infeasible (without crippling Javascript, and users willing to do that are already blocking it). There's ample research on this, and I've posted a link to the best-known paper before, if you want to search for details.

I don't believe I've seen a Javascript Meltdown exploit. Meltdown is a subset of the Spectre class, but all the Javascript Spectre exploits I've seen have been reading unprivileged data.

0
0
Silver badge
Unhappy

Re: Ends-Means

"the timer resolution making those exploits possible has been not so much reduced but rather obliterated in Palemoon specifically, and that the other browsers also did more or less the same thing already"

or so they say...

but the thing is, it doesn't eliminate the potential threat. It helps to mitigate what we currently know about the proof of concept algorithm. It is still possible, if you know enough about an OS or an application, to obtain information about it using a side-channel attack, if you repeat the operation sufficiently enough. I have personally used low resolution timers to check performance. if you test 10,000 operations with a timer that has 10msec or even 100msec accuracy, you can still determine how much time was spent doing those operations with reasonable accuracy. you won't be able to time a single operation, but you can time 10,000 of them. And THAT means an exploit will simply have to run LONGER to get a meaningful result, and target what it looks at a bit more carefully.

0
0
Anonymous Coward

"we immediately saw higher user engagement on our AMP pages"

Because Google is preferentially boosting AMP results, leveraging the ignorance of its user base to force publishers to embrace lock in on Google's technology, dancing to Google's tune.

27
0

> "Google is preferentially boosting AMP results"

More likely targeting teenagers who have never seen a PC get owned by email

16
0
Silver badge

"we immediately saw higher user engagement on our AMP pages"

Yup - everyone desperately trying to find out how to turn that shit off.

14
0
Silver badge

Re: > "Google is preferentially boosting AMP results"

Or written by teenagers who who have never seen a PC get owned by email.

7
0
Silver badge

Re: > "Google is preferentially boosting AMP results"

Or written by teenagers who who have never seen a PC get owned by email

Or, judging by my nephew (mid 20's), never using the email client on his PC or phone, preferring to instead use webmail.

Which is why I get queries on the (rare) occasion that my webmail server drops out.

2
0

Re: how to turn that shit off

If you have to use Google search, use encrypted.google.com instead - I see no AMP (thanks timecop1818)

1
0
Silver badge

Re: how to turn that shit off

Problem is, Google Search is just one of the routes that takes you to AMP now. If you browse twitter from a phone, they'll now "helpfully" try and direct you to an AMP version when you click a link to an external site.

0
0
Silver badge

Re: how to turn that shit off @JetSetJim

Had I been given that tip earlier, my life might be entirely different. I find AMP to be such a usability nightmare that I switched to Bing. No, really.

2
0
Silver badge
Devil

Re: how to turn that shit off @JetSetJim

"I find AMP to be such a usability nightmare that I switched to Bing"

have you tried duckduckgo.com ?

1
0
Silver badge

Re: how to turn that shit off @JetSetJim

> Had I been given that tip earlier, my life might be entirely different. I find AMP to be such a usability nightmare that I switched to Bing. No, really.

Yeah, thankfully this news story prompted me to decide I should pull my finger out and actually do something about it (especially as I follow a lot of news links from Twitter). So I've updated my adblock list (to block the AMP JS - particularly amp-ads) and created a Greasemonkey/Tampermonkey script to detect AMP pages and send me to the canonical URL instead: Remove AMP from my browsing

0
0
Silver badge

feh

I have Gmail set to deliver mail to my email client via IMAP. My email client is not a web browser. I have turned HTML and such off. I will never see their dancing ads. Should Google try to get around this, by, oh, giving static sending email using IMAP to my email client, I will kill my Gmail accounts.

18
0
Silver badge

Re: feh

Jsu to confirm what you're saying because I think you know more about this than I do.

This AMP thing only happens (at the moment) if viewed through a web browser which allows javascript to run. If an email client is set to display pages in html, with external content disabled (default for Outlook, Safari etc) would you get the AMP content or not?

1
0
Silver badge

Re: feh

That would depend on the email client. Some don't do JavaScript at all, some can do JavaScript but might have problems with AMP. Some can do just about everything that a web browser can do. I avoid the question by just turning off everything which isn't plain text and basic attachments. No viewing pix or PDFs in the mail, I _must_ download the attachment... if I feel like it. It's amazing how often I don't feel like it. Doing things this way means that macros and such cannot run until I download the attachment and open it with the appropriate application,which I do only in certain very specific circumstances. It means that .EXEs are instantly visible. It makes things difficult for phishers and other fraudsters. It also exposes the kind of person who insists on using HTML and JS tricks to tart up email in an. attempt to hide the fact that they're useless gits. All that I see is the plain text, no pix, no colors, no singing, no dancing, just the text. There would be a reason why I hate webmail and decline to use it.

6
0
Silver badge
Pint

Re: feh

Cheers

0
0
vir
Silver badge

"Some people may find this appealing."

I find it appalling.

60
0

mmm more junk that gets blocked. Its not as if we dont have enough junk to block already.

What is it with companies wanting to use my servers resources for their junk. Its not as if spectre isnt helping with server loads as it is *sarcasm*.

14
0
Anonymous Coward

feature request

Please, Google, once you have got this AMP malarky running smoothly in Gmail, can you roll out ActiveX and Flash in email too? In fact, why not make native code run as well, straight over email, it would be super neat. Even greater would be if we didn't have to click on anything before it ran either, that's such a drag.

43
0
Silver badge
Pint

Re: feature request

That is some quality sarcasm! Nice!!

14
0
Silver badge

Re: feature request

"In fact, why not make native code run as well, straight over email, it would be super neat."

Outlook used to have that feature, you could embed a sound file in your mail which would then be saved to disk and played... even if it had the extension .exe. (Explanation: The Windows API-Call to play a sound internally maps to the API-call to execute a program. So you could convince Outlook that it's a sound via the MIME-Type, but effectively you could send a native program.)

4
0
Silver badge

Re: feature request

Which most of us considered a gaping security hole of the "What the FUCK were they thinking?!?" class, not a feature.

5
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018