So again, instead of taking my opinions at face value, let’s explore how I came to believe them. Bear in mind, though, that I’m comparing Outlook against its competition, which is a pretty vague comparison. So, when specifics are called for, I’ll call in Mozilla’s Thunderbird as a prime example of an Outlook competitor.
• Lower profile target. Face it, what do most people use the Internet for? Web browsing and email are likely to be at the top of just about anyone’s list. What are the most popular browser and emailer? Simple: Microsoft’s Internet Explorer and Outlook, and by a pretty darned big margin. Sure, Outlook Express probably deserves an honorable mention here, along with a few others, but in terms of market share, it’s IE and Outlook.
The corporate world loves IE and Outlook (paired, almost inevitably, with Microsoft Exchange) for all sorts of reasons. So do phishers and other Internet miscreants. I’d even venture to guess that no software in the history of software—such as it is—has been attacked as much as IE and Outlook have.
If you’re using either of these in their default configurations and without any additional security protection from anti-virus products, firewalls, spam filters, etc., your computer is almost certainly not fully under your own control any longer. I don’t say that as mere hyperbole either.
As such, using just about anything other than Outlook has got to be lower risk—not necessarily more secure, however.
Qualitative score: Outlook gets an F while Thunderbird (et al.) get a B+.
• Default configurations and configurability. Perhaps this one is a bit of a trick criterion, as pretty much every mailer I’ve ever installed came “out of the box” in a default configuration that was akin to walking through a crowd with copious quantities of $100 bills hanging out of your pockets—and then being surprised when you get robbed.
That said, most mailers these days allow the user to configure a pretty rich set of options regarding HTML rendering, automatic image downloading, message previewing, and script running. Many mailers nowadays take that a step further by watching out for emails containing known phishing sites, spam messages, and such—in essence, an auto-updating blacklist of bad characters. Although I’m not a fan of blacklisting (vs. whitelisting), they’ve no doubt prevented a lot of users from loading messages that could have harmed them.
Along these lines, the ability to plug into different anti-spam engines is a major bonus. Thunderbird, in particular, is quite flexible in how it plugs to your anti-spam engine of choice.
Both Outlook and Thunderbird carry out these features reasonably well. I have to admit, though, that I prefer Thunderbird’s security features, though this is a rather subjective measure. What I find missing, and perhaps I’m looking in the wrong places, is the sort of control that I get with the Noscript plug-in for Firefox that I mentioned last month.
Qualitative score: Outlook gets a C while Thunderbird gets a B.
Next page: Usability, and “the other guys”
• Usability. Despite my comments above about configurability, I have to admit that Outlook’s functionality is superb. As much as I like Thunderbird and others, their user interfaces pale in comparison. I’ve tried dozens of different mailers on Windows, Linux, and OS X, and I’ve yet to find a user interface like Outlook. While some people don’t like the “kitchen sink” approach to having so many things embedded in one application, I always found the interface to be intuitive and easy to get along with—at least, when things worked properly.
But wait, you say, you thought this was a security comparison. It (still) is. I’m a firm believer that software should be easy to use to include configuration of security features and such.
Having said that, it’s been my observation that Outlook’s user interface has been the victim of “creeping featurism” over the years, and some configuration attributes and such can be obfuscated in layers of menus. Still, kudos are due.
Qualitative score: Outlook gets an A- while Thunderbird gets a C.
• The other guys. Ok, I said that I’m comparing Outlook against its competition, but that I’d stick primarily with Thunderbird. What about the security of the other guys? Well, if you’re serious about email security, you’ll use a simple textual mailer that doesn’t know HTML from its ASCII. Elm, Mutt, and Berkeley Mail come to mind. Of course, they all fail the usability test miserably in my view, but in terms of security, they’re unbeatable.
The vast majority of email borne security woes stem from “rich” context like HTML, embedded scripts, and attachments. Since many of these “dumb” mailers don’t know how to interpret these things, they’re quite immune to such poxes.
Qualitative score: Outlook gets an F while the other guys get an A+.
So, it’s not so easy to compare security of emailers. Note that I’ve completely ignored the ability to plug into proprietary mail servers such as Microsoft’s Exchange. I’ve kept my comparisons principally to the user end and have assumed open standards on the back end. I’ve also not talked about integration with security products and capabilities like PGP and S/MIME. Most enterprise grade emailers can handle both of these admirably these days. We’ll address these things in more detail in a future column.
For me, I’m going to stick with anything but Outlook for email for the reasons I’ve cited above. I’m a big believer in Apple’s Mail.app mailer, coupled with Apple’s other Outlook-like apps like iCal and Address Book. I’d still like to see more security features there, however. Let’s hope Leopard brings us Mac users some of this.