Modernizing Authentication — What It Takes to Transform Secure Access
So again, instead of taking my opinions at face value, lets explore how I came to believe them. Bear in mind, though, that Im comparing Outlook against its competition, which is a pretty vague comparison. So, when specifics are called for, Ill call in Mozillas Thunderbird as a prime example of an Outlook competitor.
Lower profile target. Face it, what do most people use the Internet for? Web browsing and email are likely to be at the top of just about anyones list. What are the most popular browser and emailer? Simple: Microsofts Internet Explorer and Outlook, and by a pretty darned big margin. Sure, Outlook Express probably deserves an honorable mention here, along with a few others, but in terms of market share, its IE and Outlook.
Mozilla Firefox vs. Internet Explorer: Which is Safer?
The corporate world loves IE and Outlook (paired, almost inevitably, with Microsoft Exchange) for all sorts of reasons. So do phishers and other Internet miscreants. Id even venture to guess that no software in the history of softwaresuch as it ishas been attacked as much as IE and Outlook have.
If youre using either of these in their default configurations and without any additional security protection from anti-virus products, firewalls, spam filters, etc., your computer is almost certainly not fully under your own control any longer. I dont say that as mere hyperbole either.
As such, using just about anything other than Outlook has got to be lower risknot necessarily more secure, however.
Qualitative score: Outlook gets an F while Thunderbird (et al.) get a B+.
Default configurations and configurability. Perhaps this one is a bit of a trick criterion, as pretty much every mailer Ive ever installed came out of the box in a default configuration that was akin to walking through a crowd with copious quantities of $100 bills hanging out of your pocketsand then being surprised when you get robbed.
That said, most mailers these days allow the user to configure a pretty rich set of options regarding HTML rendering, automatic image downloading, message previewing, and script running. Many mailers nowadays take that a step further by watching out for emails containing known phishing sites, spam messages, and suchin essence, an auto-updating blacklist of bad characters. Although Im not a fan of blacklisting (vs. whitelisting), theyve no doubt prevented a lot of users from loading messages that could have harmed them.
Along these lines, the ability to plug into different anti-spam engines is a major bonus. Thunderbird, in particular, is quite flexible in how it plugs to your anti-spam engine of choice.
Both Outlook and Thunderbird carry out these features reasonably well. I have to admit, though, that I prefer Thunderbirds security features, though this is a rather subjective measure. What I find missing, and perhaps Im looking in the wrong places, is the sort of control that I get with the Noscript plug-in for Firefox that I mentioned last month.
Qualitative score: Outlook gets a C while Thunderbird gets a B.
Next page: Usability, and "the other guys"
Usability. Despite my comments above about configurability, I have to admit that Outlooks functionality is superb. As much as I like Thunderbird and others, their user interfaces pale in comparison. Ive tried dozens of different mailers on Windows, Linux, and OS X, and Ive yet to find a user interface like Outlook. While some people dont like the kitchen sink approach to having so many things embedded in one application, I always found the interface to be intuitive and easy to get along withat least, when things worked properly.
Mozilla Firefox vs. Internet Explorer: Which is Safer?
Is the Mac Really More Secure than Windows?
Mac vs. Linux: Which is More Secure?
The Emerging Dell-Linux-Apple War|
But wait, you say, you thought this was a security comparison. It (still) is. Im a firm believer that software should be easy to use to include configuration of security features and such.
Having said that, its been my observation that Outlooks user interface has been the victim of creeping featurism over the years, and some configuration attributes and such can be obfuscated in layers of menus. Still, kudos are due.
Qualitative score: Outlook gets an A- while Thunderbird gets a C.
The other guys. Ok, I said that Im comparing Outlook against its competition, but that Id stick primarily with Thunderbird. What about the security of the other guys? Well, if youre serious about email security, youll use a simple textual mailer that doesnt know HTML from its ASCII. Elm, Mutt, and Berkeley Mail come to mind. Of course, they all fail the usability test miserably in my view, but in terms of security, theyre unbeatable.
The vast majority of email borne security woes stem from rich context like HTML, embedded scripts, and attachments. Since many of these dumb mailers dont know how to interpret these things, theyre quite immune to such poxes.
Qualitative score: Outlook gets an F while the other guys get an A+.
So, its not so easy to compare security of emailers. Note that Ive completely ignored the ability to plug into proprietary mail servers such as Microsofts Exchange. Ive kept my comparisons principally to the user end and have assumed open standards on the back end. Ive also not talked about integration with security products and capabilities like PGP and S/MIME. Most enterprise grade emailers can handle both of these admirably these days. Well address these things in more detail in a future column.
For me, Im going to stick with anything but Outlook for email for the reasons Ive cited above. Im a big believer in Apples Mail.app mailer, coupled with Apples other Outlook-like apps like iCal and Address Book. Id still like to see more security features there, however. Lets hope Leopard brings us Mac users some of this.