Securing Your Image

Posted by William Kammersell 

You put a lot into picking the best images for your email creative. You make sure they look great in mobile and desktop client layouts. You even include a tracking pixel to gain valuable insight into how subscribers engage with your email.

Your subscriber opens your email, and sees a browser warning icon in the address bar. They click the icon and see this:

firefox_mixed_passive_content

Browser warning for Yahoo! Mail in Firefox

Or this:

chrome_mixed_passive_content

Browser warning for Yahoo! Mail in Chrome

Why are your subscribers getting security warnings from viewing your email?! The reason is although you picked a great image and tracking pixel, you delivered them via an insecure connection using HTTP instead of HTTPS.

This browser warning is due to mixed passive content. Mixed passive content is when a secure website using HTTPS loads an insecure resource, such as an image, using HTTP. The subscriber’s browser is telling them that although they think they’re using a secure website, they actually are not because there is insecure data. Thus malicious third parties could view the image and even modify it.

More and more ISPs are defaulting users to secure web access, including Yahoo! Mail and Outlook.com. As these webmail clients are HTTPS sites, any rendered email using HTTP images will trigger the mixed passive content browser warning. Furthermore, these ISPs will not tell your tracking pixel details about the subscriber as they do not trust your insecure image server . Yahoo! and Outlook.com will tell your tracking pixel that it was requested, but provide no specifics that can tell you that Yahoo! or Outlook.com was used by your subscriber.

So there are three large downsides to using HTTP images and tracking pixels:

  1. Malicious third parties can intercept and modify your images.
  2. Subscribers may see browser security warnings.
  3. You receive little information from your tracking pixel.

Return Path’s Email Client Monitor helps you avoid these issues by providing a secure HTTPS tracking pixel to each and every Return Path customer. Email Client Monitor offers powerful custom tagging combined with a secure pixel to ensure you know which subscribers are using specific email clients. Starting this week we are defaulting new Email Client Monitor customers to secure HTTPS tracking pixels. If you are an existing Email Client Monitor customer, we suggest you switch to the secure HTTPS tracking pixel as well. All you need to do is switch ‘http’ to ‘https’ in your tracking pixel URL.

If you are using insecure HTTP images for your email creative, consider looking into secured HTTPS images as well. There are many misconceptions about HTTPS, so we recommend investigating it with an open mind. The industry as a whole is valuing security, as shown by Google giving preference to HTTPS sites in search rankings, so moving to HTTPS will reap many rewards for you beyond email.

Author Image

About William Kammersell

William Kammersell is a Product Manager at Return Path, focusing on campaign planning and delivery tools. He loves hearing customer feedback to learn how to turn email marketers into heroes. His former experience as a software developer and scrum master ensures he can then convert that knowledge into solutions with the development team that are a treat to use.

Author Archive