Secured Web Pages in Email Standard

Purpose

This standard defines a best practice for web developers at Purdue who wish to include links to authenticated web pages in email or newsletters.

Brief Description

When an email message or newsletter contains links to authenticated web pages and the recipient clicks on the link, they are often surprised to be presented with a login prompt. Since such tactics are also commonly used by phishing attempts, users have been advised not to enter their login credentials so will not see the intended pages. In other cases, the user may be unaware what credentials are required so will either guess or become discouraged and not bother viewing the pages. This standard discusses practices that web developers at Purdue, as well as email and newsletter authors, should consider when the need to send links to secured pages arises.

Details

HTML formatted email has become increasingly common. It is used for everyday email as well as for electronic newsletters. At times, the author of these communications will want to provide a link to a page or document where the recipient can get more information, view the full article, or review a document that is not suited to email distribution. However, when the link in question is to an authenticated resource, the recipient is presented with a request for their login credentials, generally without any preamble advising them what to expect or what credentials are required. Due to training, security conscious recipients may decline to enter their credentials to avoid falling victim to phishing attacks, while others may be confused as to which credentials are being requested and why.

To combat these problems, web developers are encouraged to provide so-called landing pages on their site that collect links to the secured pages and documents referenced in the email or newsletter. This landing page should itself not require any authentication and should be the page that is linked to in the email or newsletter. This allows the recipient of such communications to click on the link in the email and be presented with a well-designed, Purdue-themed page as they would expect. If this page is also served over SSL, there is increased confidence that it is a legitimate Purdue page. This page can then advise the user that the remaining links on the page will require authentication and what credentials should be used (for example, Purdue Career Account).

If a landing page is not possible for some reason, the next best choice is to include information in the text of the email immediately before the link to the authenticated document that advises the recipient that the document requires a login to view, and what credentials will be required. This is not ideal as some phishing attacks will mimic this behavior and therefore some recipients will not be willing to click on the links, regardless. Nevertheless, it will, at least, remove the surprise and confusion for those recipients who choose to click.