info@qualityplusconsulting.com l +1 262-553-6510

Special note for Ubuntu users

Breakfast Bytes podcasts are streaming MP3. In order for Firefox on Ubuntu to play the streaming MP3, install the GStreamer extra plugins that list MP3 as one of the supported formats. GStreamer can be obtained through the Ubuntu Software Center.

Breakfast Bytes - HTML Email Signatures

9/2/2016

 

 

HTML-Based Email Signatures, Facebook Creepiness, SSA MFA



 

Embedded graphics in email signatures are problematic. Creepiness about Facebook. And Social Security Administration MFA backtrack

MP3 - HTML-Based Email Signatures, Facebook Creepiness, SSA MFA

 
 

 

 

Email signatures and embedded graphics

 

Signatures should have an HTML version and a text-based version.
HTML Signatures will not show on most mobile devices.
Embed HTML code as the signature of the email with the graphic being loaded from a URL from your website.
There are ways to create an HTML-based signature that has ALT text that will display as text when the HTML code is stripped by clients that cannot display that such as many email reading apps on mobile devices.

If you put the graphic right in the signature of the email, you can trigger a lot of problems.

  • Anyone with automatic rules for HIPPA encryption compliance like if it has an image in it, then encrypt it. If they respond to you and you had graphics embedded in your signature, then you will be getting encrypted emails back from them and it's your own fault.

  • You are consuming a lot of extra space in your mailbox and everyone else's through the use of embedded graphics. Many people view this as really disrespectful. If your email signature consumes extra space in their mailbox, that means more of their precious time has to be wasted managing space consumption. They may just delete your emails as a result.

  • If you have any graphical parts of your signature coming from a consistent content set hosted on your website, then your email recipients will always get the content you want them to have without issues. The content must come from your website, and is preferred for it to be delivered over HTTPS to avoid mixed content or insecure content load failures from browsers.

Browsers are now blocking any content that is being delivered insecurely. Insecurely means not over HTTPS from an appropriately validated URL/certificate combination, such as an EV domain (extended validation).
Some browsers are also throwing warnings for anything that is using what it deems to be non-modern cryptography such as SHA1. SHA1 has been deprecated.

This has implications for anyone that has certificates. You may want to go back to your CA (certificate authority) and get them to tie the chain of trust for your certificate to their SHA2 Trusted Root certificate authority. You will, of course, have to reissue and reinstall certificates then, but this is becoming necessary now in order to avoid browser warning messages where your visitors get a perception that your content is not secure due to the browser warnings against use of non-modern cryptography.

 
 

SSA Multi-Factor Authentication

So after I lauded the SSA for implementing MFA, they ripped out the requirement due to backlash. Not everyone has a SMS-enabled telephone, and putting that information in there really opens up some problems for people given that virtually no one can manage to lock down their databases of PII from compromise and exploit.

What I find absolutely idiotic is that someone from the SSA could not manage to come up with an idea to call over to NIST, Microsoft, or Google and get some tips on how to implement the OPEN SOURCE multifactor authentication enrollment that is already supported for free nearly everywhere using either the Microsoft authenticator or the Google authenticator.
SSA could have easily implemented that as an option or contracted with Microsoft for PhoneFactor.
The way this stuff is typically done is a multi-enrollment option. You can enroll to receive a phone call on phone line, which will obviously work for things that are not SMS-enabled. You can use an authenticator app. Or you could receive SMS message. Or you can enroll all three as options. This is extremely commonplace these days, so I am really disappointed that SSA could not be bothered to call either NIST, Microsoft, or Google, and get this figured out.
Instead, their reaction was to literally remove the requirement for MFA.

 

Creepy Facebook

If you or anyone you know uses Facebook, you need to read this article.

Facebook Just Got a Whole Lot Creepier

 

 

 

Linkedin