Note: The information provided here is for Marketo SSL for Landing Pages and Marketo SSL for Tracking Links only.
For information on Marketo’s new Secured Domains for Landing Pages, please see: Overview & FAQ: Secured Domains for Landing Pages.
About the Secure Landing Pages and Tracking Links
1. What is TLS/SSL?
TLS (Transport Layer Security) and its predecessor, SSL (Secure Sockets Layer), are security protocols for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private.
2. What are Secured Landing Pages and why do I need them?
Secured Landing Pages are those that have been secured using an TLS/SSL so that requests to the site are made via HTTPS (HyperText Transfer Protocol Secure) instead of HTTP (HyperText Transfer Protocol). This encrypts the data exchange and provides authentication to ensure that communication are happening only between the intended parties.
By default, web forms and landing pages that are hosted by Marketo send information over non-secured protocol (HTTP). The Marketo SSL for Landing Pages service secures your Marketo Landing Pages so requests are served by HTTPS instead (using an TLS/SSL certificate that you provide).
Why securing landing pages for your Marketo instance is important:
Beginning in October 2017 with the release of Chrome 62, Google Chrome will mark all unsecured web pages containing forms with the “Not secure” warning, including Marketo landing pages with forms. This change affects all web pages globally, not just Marketo landing pages. More information.
3. What are Secured Tracking Links and why do I need them?
Marketo shortens the URLs of links that you insert into emails using the "Branded Tracking Link" domain. This is another CNAME that you set up and enter into Marketo under Admin--> Email.
By default, Marketo email tracking links are served over HTTP. The Marketo SSL for Tracking Links service secures the email tracking links in your Marketo emails via HTTPS instead (using an TLS/SSL certificate that you provide) so they will be served securely and encrypted.
4. Do I need to secure both my landing pages and tracking links?
Your company’s security policy will determine your encryption requirements. You may choose to secure your landing pages and email tracking links, or to only secure your landing pages. It is not advised to secure email tracking links only. Securing only tracking links will result in warning messages that you are about to visit an unsecure site when the secure email tracking link is clicked redirecting to an unsecured page.
5. Who should I contact if I have more questions?
Please contact your Marketo Customer Success Manager or Account Executive.
About Marketo TLS/SSL Encryption
6. What encryption products does Marketo offer?
Marketo offers two secured services products:
1. Marketo SSL for Landing Pages
- This service provisions a secure landing page server with the certificate that you provide us so your pages will be served over HTTPS.
- Marketo does not provide the TLS/SSL certificate. You must purchase this from a TLS/SSL vendor and provide it to Marketo.
- Subsequent certificate reapplications are covered with your SSL for Landing Pages service (subject to change). Please contact Marketo Support to process these updated certificates.
2. Marketo SSL for Tracking Links
- This service provisions secured tracking links with the certificate that you provide us so your tracking links will be served over HTTPS.
- Clients with “Multiple Branded Tracking Domains” must use a SAN certificate (not multiple TLS/SSL certificates).
- Marketo does not provide the TLS/SSL Certificate. You must purchase this from a TLS/SSL vendor and provide it to Marketo.
- Subsequent certificate reapplications are covered with your active Secured Tracking Links service (subject to change). Please contact Marketo Support to process these updated certificates.
- Though you may not see the link displayed with HTTPS, once secured, the link will leverage TLS/SSL security protocols over HTTPS.
TLS/SSL service initial provisioning, ongoing certificate renewals, processes and product structure are subject to change.
7. Why does Marketo charge for these services?
To enable secured connections, Marketo sets up and maintains a secure server(s) for each instance. Provisioning or altering a dedicated secure server requires a dedicated IP and takes time to implement on our load balancer servers. This work is done by one or several of our network engineers.
8. Are Secured Landing Pages or Secured Tracking Links included in my subscription?
Marketo does not include the SSL for Landing Pages or SSL for Tracking Links secured services in Marketo subscriptions. Both services are optional and available to be purchased separately.
9. How do I budget for TLS/SSL Provisions?
Please contact your Marketo Account Manager or Customer Success Manager to purchase the SSL for Landing Pages and/or SSL for Tracking Links secured services.
Please note, these services require you to provide a TLS/SSL Certificate. We recommend that you purchase Certificate(s) for a minimum of two years. You will need to budget for ongoing Certificate renewal cost based on the duration of the certificate your purchase.
10. How do I determine how many TLS/SSL packages I will need?
Marketo secured services are applied to each instance individually. Here are some common examples:
- 1 Secured Service product = info.mydomain.com certificate for one Marketo instance
- 2 Secured Service products = two certificates for two Marketo instances.
- 1 Secured Service product = multiple domains bundled under a SAN certificate for one Marketo instance
Please contact your Customer Success Manager or Account Executive for additional assistance with how many certificates and packages are needed.
11. Can I make changes to my TLS/SSL certificate and is there a fee?
You can make changes or updates at the time of certificate renewal at no additional charge (such as additional CNAMEs, removing CNAMEs, adding domains, etc.). Changes outside certificate renewal may require a fee.
12. What do I need to provide Marketo to enable secure pages and links?
You will need to provide a secure certificate and private key to Marketo. If you need to secure multiple domains, please provide a wildcard certificate for multiple subdomains (*.company.com) or a SAN Certificate (also called UCC certificate). With a SAN certificate, you can include multiple domains in a single certificate (must cover full domains, wildcards can’t be used).
13. Which Secure Certificate Provider vendor does Marketo recommend?
Marketo does not recommend any single provider, but the following TLS/SSL providers are commonly used:
- Network Solutions
These certificates are recognized by most web browsers. Certain premium certificates will also show the name in the URL bar (usually in a green bar). These are more expensive and it will take more time to issue those because the TLS/SSL vendor will do more background checks before issuing such a certificate.
Note: Starting with Chrome 66, Chrome will remove trust in Symantec-issued certificates issued prior to June 1, 2016. Chrome 66 is currently scheduled to be released to Chrome Beta users on March 15, 2018 and to Chrome Stable users around April 17, 2018. More information is available from the Google Security Blog.
14. What is the recommended certificate duration/term?
Marketo recommends using TLS/SSL certificates that are valid for at least 2 years. If you anticipate a domain name change in the near future, a shorter term may be selected.
15. Is a private key always needed?
Yes, a private key is required for every certificate. We will need this to provision a secured server for you on our load balancers.
16. Where can I find more information on procuring SSL Certificates?
Please see our post: FAQ: TLS/SSL Certificates for Secured Landing Pages & Tracking Links
About the Go-Live Process
17. Can secured landing pages and non-secured landing pages co-exist in one instance?
TLS/SSL is applied to all Marketo landing pages and cannot be applied selectively. It is an all-or-nothing activity that replaces the default non-secure server with a secure server for your instance.
18. What are the cut-over steps and downtime required for Secured Landing Pages?
Steps taken during the change window
- Marketo will verify the new DNS values in our network.
- Marketo will update database and Marketo application settings to allow TLS/SSL conversion for landing pages.
- You will verify the new landing pages, send and verify test emails, and confirm that the conversion is completed.
Switching landing pages to TLS/SSL may cause brief availability issues while in transition. As example, when DNS information is modified to point to an TLS/SSL address but landing pages are not yet converted.
To minimize the impact of the change
- Marketo and your technical personnel must agree on specific date and time for the change window.
- You should not run campaigns around the change window.
19. What do you need to do before/after go-live?
Next, you’ll need to ready the landing pages in your instance for the conversion to HTTPS. Below is a list of steps to review, update and reapprove your landing pages:
- Unapprove and re-approve all landing pages. This can be done in bulk in the Landing Pages section of Design Studio by selecting a group of pages for unapprove and re-approve via the “Landing Page Actions” menu. If you have a developer, they can use Marketo’s API to unapproved/reapprove landing pages (see Landing Pages: Landing Page Controller section of our developer site).
- If you use Marketo Forms 1.0 on a non-Marketo webpage, you will need to update the post URL to HTTPS (Forms 2.0 does not need to be updated).
- If you include a Marketo landing page on a secure website using an iframe, you will need update the HTML to load the secure version of the landing page, otherwise the end user will get a security warning.
- If you use a Marketo Form on a non-Marketo page, you will need to update the follow-up URL to HTTPS if you’ve explicitly referenced a HTTP page.
- If you do a server-side post to a Marketo Form and use your CNAME as the Post URL, you also need to change that to HTTPS. Please note that server-side form posts are not supported and you should make a Marketo form submission in the background instead.
Once you’ve completed the steps above, Marketo Professional Services will coordinate the cutover process with you. To help ensure a smooth transition, we’ll work with you to plan a time when you have few or no upcoming batch campaigns running, and also a time when your team is available, if needed, to make a few updates in your Marketo instance.
RECOMMENDATION: After the cutover you may notice that your images are not displayed in the email editor or preview mode. Rest assured your emails will send correctly and the images will render for the recipients of your emails. To be sure that you can see the images in Marketo, you must adjust the image URLs from HTTP to HTTPS in the editor. Again, whether you take this step or not, the images will render properly for your email recipients. In the example below, you would adjust the HTTP to HTTPS.
20. Are there scripts to change all these links quickly?
You can engage Marketo Professional Services for a quote to help you with a cut over plan and assist you with building scripts to help with these change over activities.
21. Is there any advantage doing this in a sandbox before doing this in production?
Marketo sandbox and production are different configurations. One change to another server does not guarantee the other instance will be similar.
22. What if I still want to do this in a sandbox?
You can purchase SSL for Landing Pages for your sandbox and provide a certificate to create a secure landing page server for this. Please note, you may need separate domain names and certificates to avoid domain name collisions in the sandbox and production configurations.
23. What happens when a someone visits the HTTP:// (non-secure) landing page post cutover?
About Marketo’s Process
24. What is the process for setting up secured servers and why does it take up to 3 weeks?
Provisioning or altering a dedicated server takes time to implement on our load balancer servers. This work is done by one or several of our network engineers. We ask for 3 weeks to ensure that we can set a schedule with you and coordinate the time with our operations’ schedule that will minimize risk and the probability of errors. When setting up or altering a certificate, Marketo must perform some or all of the following tasks:
- Assign a new IP address for your secure server
- Install or confirm configure a new load balancer
- Reconfigure the internal DNS
- Install the certificate
25. Can Marketo install more than one certificate?
With our server architecture, it is not possible to install more than one certificate. If you need to secure multiple domains, please provide us with a wildcard certificate for multiple subdomains (*.company.com) or a SAN Certificate (also called UCC certificate). With a SAN certificate, there can be multiple domains in a single certificate (they need to be full domain names, wildcards can’t be used).
26. Do secure landing pages affect the CNAME for branded email tracking links?
No, the CNAME entry for branded tracking links remains unchanged.
27. What Marketo configuration is required to complete the Landing Page TLS/SSL Setup?
One or more CNAMEs must be setup for Marketo Landing Pages as described here: Customize Your Landing Page URLs with a CNAME
28. Will URLs to the existing non-secure Marketo Landing Pages continue to work?
Any HTTP requests will continue to work. These will automatically be redirected to the secure pages (HTTPS).
There are only few situations where you will have to manually update the URL, specifically if you include a Marketo landing page on a secure website using an iframe. You will need to load the secure version of the landing page, otherwise the end user will get a security warning.
Converting Marketo Landing Pages to TLS/SSL does not affect any pages on your main (non-Marketo) corporate website.
30. Is Marketo enforcing HTTP String Transport Security (HSTS) for the site?
HTTP String Transport Security is important to mitigate TLS/SSL strip and other man-in-the-middle attacks. Clients who want to protect their site using HSTS need both secured landing pages and secure tracking links. Below is information on TLS/SSL for Tracking Links and HSTS:
- Secured Tracking Links
The SSL for Tracking Links service is intended to address requirements/use cases where a policy is in place that requires the configuration of the corporate website to only accept requests via HTTPS.
For more information on HSTS (which is just one technology that can be used to filter all but secure traffic into your website), please see the following link: HTTP Strict Transport Security - Wikipedia
Please note that emails sent from Marketo will display an HTTP tracking link address though they are transmitted over HTTPS.
31. Does a certificate with the primary site in the subject name and the alternate sites in the subject alternative name work for Marketo instead of a wildcard certificate?
Yes, we can work with a SAN certificate instead of a wildcard as long as all domain names are provided in a single certificate.