There’s an interesting link over at Network Blog talking about a survey done of a number of office workers who were completely unaware of the risks involved with email security. Namely most of the users interviewed were happy to open any email they got and even worse click on links regardless of who sent it.
They then link to an article at Application Security Blog that discusses how webbugs work in the context of emails. Email clients are becoming more and more resistant to this trick now a days because they now ask if users would like to download images. Of course there are ways to circumvent those security measures (consumers preffer convenience and will turn almost any security measure off if they can if they don’t understand how it’s protecting them).
Email is a pretty scary medium these days. Part of the problem is that email clients and web browsers are becoming more full featured as user demands on functionality rise. These issues are only partially under control at the moment, but the interaction between software is becoming more and more complex and it is only allowing more and more vectors as a result. The fact that email can call the web is an issue, but there are tons of other applications that are starting to do the same (even things as obscure as online games). It will be interesting to watch these vectors morph as user interest in the mediums shift. Instant messaging is a great example as it gradually overtakes email in popularity and as it becomes more and more feature rich.