the insecure thing google, banks and government do with emails

There are many things verboten from emails these days, and one of them is that you are never, for any reason, to link anything using http:// ever. You're supposed to use https:// because "secure". Right? Right.

Well, there's a problem.

Some companies use email templates that are old, haven't been updated in a very long time and still use http://, which is bad.

I'm going to show the problem, then describe the solution.

Google

I periodically receive emails from Google that brazenly have links to their pages using http:// while at the same time linking other things with https:// in the same message.

An example of such an email I received from Google earlier this year:

Banks

Banks, which includes credit card issuers, are absolutely notorious for sending out emails with image embeds called using http://, which is mixed content, and that's a giant no-no.

Government

This is where the one at top comes from. Yeah, sure, let's just link to something 27 years old that's not even part of the message at all, and do it insecurely because FUGGIT, nobody ever checks that stuff, right?

Wrong.

I noticed.

Government is far from the only one who does that w3.org http:// thing. Banks do this one too, as does Amazon, Spotify, Steampowered.com, and many others.

"It doesn't hurt anything", you may say. Doesn't matter. Everybody has been told that if you use http:// for anything in an email, you're a ding dang dirty sinner and are going straight to hell.

The solution

Well, this is obvious. Add the S so http:// is the proper https:// for everything.

However, I understand the reason http:// is still sprawled out all over the place in email templates for major companies.

What is the reason?

Red tape.

And oh, do I have a good example of this.

Certain emails from big companies have arrived in my inbox where I'll examine the source and sometimes see HTML comments.

This is a portion of a for-real email I received from a big company very recently:

The guy who made that released the ALL CAPS FURY and everything. And you gotta love that it's sitting directly below an insecure http:// link.

Note the explicit instruction not to change a damned thing without review first. And not just a review, a TEAM review.

Yeah, that's just a big pile of shit right there.

What that means is that anybody who spots the insecure http:// crap (which obviously nobody did) can't just edit the template and add one letter S. Nope. A report has to be made first to the "alert templates dev team".

If a report was actually filed, it would be received by an intern who, of course, will have absolutely no idea what to do with it.

The intern will guess where that report is supposed to be escalated to, then the report will be bounced around for a week to a month, then buried and forgotten.

While this is going on, insecure links from Big Ass Company are being sent to all the many, many thousands of customers every day.

Oh, joy.

Now you're probably thinking, "Why don't you email Big Ass Company and tell them about this?"

Ah, good question. And I have a good answer.

It wouldn't fix the problem.

Absolutely nobody in customer service for Big Ass Company knows anything about how email works. All that would happen is a canned response telling me thanks for the communication, it will be "assigned" to the appropriate whoever, have a nice day. The support ticket would be "closed" at that point and never escalated anywhere.

There is only one way to fix a problem like this.

If I had the email address of a C-title employee at Big Ass Company, then I could get the problem fixed. Not the CEO, because he doesn't care. But the CFO or CIO? Yes, I'd take either, because those guys would care. I'd send an email, say what's going on (politely, of course), they'd reply back, say thanks for emailing and take care of it. And they would. One email from them to the IT manager would get the problem fixed in under an hour since it would take top priority as the communication came down from "on high".

Since I don't have a C-title employee's email address, I do the next best thing, which is never click any link in an email at all, and read email in plain text only using a TUI mail client.

Like this article? Good people donate!