HTTP, HTTPS, Gmail, IE – INCONCEIVABLE!

Posted on January 6, 2011 by Len Shneyder

It’s a new year and by now the holiday hangover should’ve subsided leaving us all clear headed, bright eyed and bushy tailed. A recent question from a colleague in the industry helped grease my cerebral wheels which in turn lead to an interesting discovery. Some of you may or may not know that IE 8 has added security. Yes, like the TSA you can expect your browser to pat down all of your communications. Normally this isn’t a big deal but Gmail has started using Secure HTTP or HTTPS and this is leading to an unsavory notification for users of IE 8 who read their emails using Google’s free webmail service.

Before you start googling terms, let me explain…

We’re all familiar with the http that comes before the www or //. That’s a no-brainer, but when you see HTTPS that means that you’re using a secure layer to combat man-in-the-middle attacks and eavesdropping. This is a common feature of most e-commerce sites that want to protect customers against fraud and hacking.

GMail has started to use HTTPS for reading email. Normally this is OK, however IE has added more security layers that are taking umbrage with a common piece of content that 99.99999% of email marketers use: the tracking pixel. Since most emails contain a tracking pixel or web beacon, and that image is listed as a URL most likely using an HTTP vs. HTTPS URL, the browser displays a warning to the user that the content is insecure because it assumes that everything in the email/web page being viewed would be secure because the the URL is HTTPS.

Confused?

Now those of you with quick wits and sharp tongues might say, no problem, we’ll just use HTTPS for our tracking pixels and other images in our emails. Problem solved. Wrong! Since Gmail is unique in their use of HTTPS for reading email, every other webmail client defaults to HTTP, you will start seeing IE and other browsers complain with warning messages rendering email with pixels and images coming off an HTTPS server. Neither Yahoo! nor Hotmail use HTTPS when customers log into their accounts to read email.

No easy fix… but…

There truly is no easy fix as you’re sort of damned if you do, damned if you don’t. The only thing to do is to send HTTPS URLs to your Gmail population and everyone else gets images and tracking pixels with HTTP in the URLs. The overhead in maintaining this could be staggering and then there’s reporting. However, if your convinced that your over secured, over notified and paranoid customer base is truly inhibited from clicking by this warning message then setting up unique HTTPS templates for Gmail subscribers is probably a good idea. For the majority I think this is a minor annoyance that we will learn to live with, like a certain magical button back in 2004.

Theoretically speaking…

I’d like to say that I stopped there in investigating this problem but I began to think a little more deeply about what the potential ramifications were of this added security warning. My operating theory was that it really wasn’t going to affect that many users because most GMail users wouldn’t use IE anyway, they’d most likely use Firefox, Chrome or some other browser.

After doing a little investigation on our MailboxIQ data which tracks direct engagement by customers with email across a broad range of mailers I’m left slightly baffled, surprised and scratching my head like Wallace Shawn: INCONCEIVABLE!

Gmail Across Different Browsers

I really was unprepared to see that nearly half of all Gmail users are using IE to read their email. If you had put a gun to my head I would’ve sworn that number should’ve been closer to 30-35%. But that’s not the end of the surprises. Firefox is less than 15% behind IE which means that the number two browser in the world has really closed the gap as the difference used to be larger. Safari trails Chrome which means that given enough time we may see a three horse race in the next few years.

If there’s another learning for digital marketers its that there’s plenty of variety in the email reading marketplace and that you should test not only across email clients but browsers too. Make sure you’re aware of the nuances involved in coding email and getting it to render similarly in our increasingly complex multi-channel marketplace.

Cheers!
-Len Shneyder
IBM | Unica | Pivotal Veracity

Related Posts

Zemanta
This entry was posted in Smarter Marketing and tagged , , , , , , , , . Bookmark the permalink.
  • http://www.emailvendorselection.com Jordie van Rijn

    Nice post Len and describing a true concern. As far as security settings go, the same also applies to normal images in email.

    But the most frustrating thing is that the tracking pixel in most cases is added by the ESP’s emailtool after you have created and merged your message. Will we see an extra option in the campaign dashboard “set gmail pixels to https”?

  • http://robinteractive.wordpress.com robinteractive

    I blogged about this issue going on a year ago:

    http://robinteractive.wordpress.com/2010/02/24/google-poisoning-email-marketing/

    IE6 and IE7 also throw up warnings, but it is the change in encouraged action that came to pass in IE8 that really started causing the bigger problems for e-mail marketers. The IE8 dialog box is socially engineered to discourage people from displaying secure and non-secure content.

    By the way, this issue isn’t limited to Gmail. Hosted Microsoft e-mail is often (always? not sure, but has been https when I’ve seen it at colleges using Live@Edu), as well. I’ve come across other Webmail offerings that are https, albeit with relatively small marketshares.

    If you make the images secure, the problem WILL go away, at least that’s what I found when I wrote my blog post. However, simply changing the tracking pixel to https doesn’t work if you don’t also serve other images in the e-mail from https ;)

  • http://mannyju.blogspot.com/ Manny Ju

    Thanks for your highly informative post, Len.

    There are concerns among email marketers that this warning message may be misconstrued as something damaging to their brand reputation. I trust after reading this article, they will feel a bit better.

    There remains, however, the valid concern among other email marketers that Gmail subscribers using IE who choose the “Yes” option will be under-reported if all they do is open the email but not click any links therein. Your MailboxIQ analysis helps us determine the potential impact of this event.

    Thanks again for a well-written post.

    Cheers!

  • Steve B

    Of course its not like Google plays well with others, so a crappy user experience is not big surprise.

    Info into google is a black hole.

    No FBLs, no collaboration at all.

    As marketers you should count yourselves lucky if gmail users see your message at all.

  • http://www.idonny.com Donny Nyamweya

    This article takes the perspective of the Web/Email Marketing practitioner and his/her interest in reaching as many people and tracking the activity with as little pain as possible. In the interest of security, I laud Google for pioneering step of implementing HTTPS. Someone must do it first and there is bound to be some inconvenience for many users in this initial stage of things, but with time we will be thankful once HTTPS communication becomes to norm.

    History:
    HTTPS is a clear better option relative to HTTP. The reason we did not abandon HTTP in the first place is because HTTPS requires a performance overhead to encrypt and decrypt data on the server. This used to be an issue when processors were weaker, but in out time, the processors that come with almost all average Web Servers can send information over SSL/HTTPS without significant loss in speed and overall performance.

    As free internet becomes pervasive, so does the risk of break-in and “man in the middle” exposure of content to the wrong eyes. We must take that problem seriously and understand the benefits of using HTTPS at all times. For me, for yahoo and MSN not to have HTTPS for eamil reading is a deal-breaker and that makes Gmail and Google Premium an easy and obvious choice.

    We must not forget that most/all serious companies require employees to use VPN to access resources and email when away from the corporate LAN, so anyone happy about not having to read email in a secure channel is asking for trouble. So we should work towards making SSL the norm and maybe pushing the tracking pixel only over HTTPS to force the non-secure readers to grow up and take security seriously – but then again, marketers want to access user eye-balls, not to conduct revolutions

  • http://www.twitter.com/robinteractive robinteractive

    I agree with Donny. I applaud Google’s now-default https setting for Gmail. (Prior to that it had been an option that could be enabled under settings.) It is more secure, and that is a plus.

    It is worth noting, however, that warning of non-secure images being delivered on an https page is very strong in Microsoft’s IE, and very weak in Google’s own Chrome browser. Microsoft has had such a warning dating back to at least IE6, which is approaching ten years old.

    A conspiracy theorist might suggest Google keeps the warning weak in Chrome precisely because it would greatly impact those using Gmail in their own Chrome browser. A conspiracy theorist might further suggest Google is making Microsoft look bad in the process as folks check Gmail in IE and get the warning about secure/non-secure content. My guess is that it was a happy coincidence, but I tend toward optimism.

    I know of a few people that switched away from IE precisely because of the Gmail warnings. Ironic, given that IE is warning about a security issue.

    As Donny suggested, there is some shift toward https in Webmail by Google and others. I wonder if the warnings in future versions of IE will become more obscure (and less secure) to accommodate this in the name of maintaining browser marketshare.

    As an aside, I have screenshots of some of the browser warnings on my blog post about Gmail, images, and e-mail marketing: http://robinteractive.wordpress.com/2010/02/24/google-poisoning-email-marketing/