eBilling News: HTML5 is the devil

Thursday, November 28, 2013

HTML5 is the devil

Don't get me wrong, I'm super excited about the potential and possibilities of HTML5 - I'm just not sure if we are ready to use it to send secure documents by email.

Phishing, malware, weak ciphers and limited payloads are all serious concerns regarding the use of HTML5 as it stands today - where using HTML5 as the carrier requires sending an HTML attachment.

HTML was used as a secure envelope for document delivery in the early days - this required Java script enabled browsers, which meant it didn't work for everyone and caused many frustrations.

The algorithms used in the encryption process were specifically chosen for their tiny footprint - rather than strength of security.

The industry quickly moved on...

Proprietary security envelopes were required to meet the banking level security requirements, (the Striata Reader is a perfect example of this technology).

The problem is this involves a once-off download that acts as a perceived inhibitor to customer adoption. In certain industries however, the extra security levels and configuration options are worth the extra customer experience requirement.

Sending encrypted documents by email quickly became standard at the point where Adobe PDF provided 256 bit AES encryption. Most consumers have the Adobe Reader installed on their devices (think desktops, laptops, tablets and smart phones) which means that the encrypted PDFdocuments can be read on multiple devices without requiring different versions.

Bring on HTML5...

Bring on the Phishers...

Sending HTML attachments has been strictly avoided due to the twin evils of malware and phishing. HTML files can hide the true nature of their payload within a legitimate looking process. Most customers won't be able to tell the difference before it's too late.

Banks currently accept that sending a PDF is a secure process (Digitally signed and DMARC authenticated). Encouraging the use of HTML5 documents however will be a bridge too far for quite some time.

RED ALERT - Java script injections and malware

HTML5 enables dynamic statements with interactive elements, graphs and sorting (you can do most of these things in Flash in PDF anyway). I can see the value of HTML5 statements that are behind an Internet Banking firewall and login, but not when sent to the customer as an attachment - I see this almost as bad as sending a link to a customer, asking them to login.

RED ALERT - Phishing

Is there any value in HTML5?

The real value of HTML5 will be evident when you can embed this in a safe and secure envelope such as PDF or EMC.

You will need the sandbox ability of a proprietary program such as the Adobe Reader for PDF or the Striata Reader for EMC. The fact that these options are available across multiple devices means that 'send once and view multiple times' is a simple process.

That’s our stance, happy to open the debate!

Mike Wright
striata.com

No comments:

Post a Comment

About Striata

Striata’s Secure eDocument Delivery and Email Bill Presentment & Payment (EBPP) are solution sets that deliver a rapid reduction in operational costs, quicker payments and an enhanced customer experience.

Striata revolutionizes the way bills, statements, policies, collection notices, letters, paystubs and other high volume system-generated documents are delivered and paid. Registration requirements are eliminated by emailing feature rich, interactive, encrypted documents directly to the inbox and enabling innovative 1-click electronic payment from within the document itself.

Direct email delivery of bills and statements dramatically increases customer adoption of electronic documents, paper turn off and ePayments. This enables Striata’s clients to achieve rapid ROI; complement their existing self-service and e-communication strategies; significantly reduce paper output and to meet
their carbon footprint/environmental impact targets.

As a leading international provider of electronic messaging since 1999 with more than 200 blue chip customers, Striata has operations in New York, London, Sydney, Johannesburg, Hong Kong and partners in North, Central & South America, Europe and Asia Pacific.