‘Not Secure’ notice in BT Mail

The ‘Not Secure’ notice you sometimes see in BT Mail is what website developers call a mixed content warning. Ideally, every part of a web page should be delivered via HTTPS, meaning it can’t be intercepted or modified along the way—no matter how unlikely this actually is for a given Internet connection (for example, it may be less likely at home than on public Wi-Fi).

Email presents a challenge because messages sent by companies typically contain graphics to make them prettier and more like websites. For example, Amazon includes its logo in its ‘order confirmation’ emails. Many such graphics are delivered via plain HTTP, and browsers like Chrome, Edge, Firefox and Safari alert you to this discrepancy: you’ve got a website that’s doing its best to be transmitted securely (BT Mail) and yet something added to this particular page is arriving insecurely, relatively speaking.

Ideally, every company sending email would deliver graphics via HTTPS. But pragmatically speaking, as security concerns go, it’s not a top priority. So, you may see the Not Secure notice first appear when you open a message with third-party graphics, and it’s normal for it to persist for the rest of the session, even while you view other messages without such graphics. In the current Chrome/Edge it carries an ‘i’ for information icon, rather than the red warning triangle, to reflect its less serious nature. So, as security warnings go, this one in BT Mail is one you can, on balance, safely ignore.

Why don’t we see the Not Secure notice in big-name webmail providers like Gmail and Hotmail? They deliver email graphics via a proxy server. Behind the scenes, the companies emailing you are still serving ‘insecure’ graphics, but your browser doesn’t notify you because the last leg of their journey to your computer is made via the proxy which uses HTTPS regardless. Ideally, BT Mail should implement a proxy too—if only to stop people worrying about the Not Secure notice.