To avoid any issues with the use of HSTS/SSL or standalone SSL, it would be beneficial if tracking links in emails could be configured to use https, rather than only http.
I'd venture that HSTS (or, really, HSTS Preload) shouldn't be a requirement for having secure tracking links at all. Provided Marketo has installed your cert, the links should come out fully formed as https://, whether or not you have HSTS enabled and covering the tracking subdomain.
This is one place where you can ensure security the point of entry (unlike with your main website(s), there should be close to zero manual browser entry of the tracking URL).
Note there isn't really an additional server request when the HSTS header hasn't been picked up from your main domain. When you click on a plain http://tracking.example.com that targets https://yourmainsite.example.com/your/page, and the end user has never visited example.com before in that browser (or the HSTS TTL has expired) you aren't redirected to https://tracking.example.com. You go to next to https://yourmainsite.example.com/your/page. The problem, of course, being that the initial connection is not secure, thus the whole transaction could be hacked.
If you remove HSTS from the Idea, I'll definitely upvote it!
Little bit of confusing re the second point (though also mute in regards to this conversation).
Does Marketo not redirect the non secure tracking link to the secure tracking link if SSL is installed o the redirection server. I would think so, otherwise what's the point in forking over the cash to have Marketo install an SSL on the branded tracking link?
Does Marketo not redirect the non secure tracking link to the secure tracking link if SSL is installed o the redirection server.
No, it does not.
otherwise what's the point in forking over the cash to have Marketo install an SSL on the branded tracking link?
The concept (flawed as it is) is that if you're serious about security, you must be using HSTS. When available, HSTS is used to secure the connection to the redirection domain.
Of course this model falls apart completely if you're not on HSTS Preload and the lead hasn't visited your main site before. As I've mentioned in the past you can run your own tracking server (rev proxy to Marketo) and save the $ on the cert install. But that's more moving parts. My clients tend to pay even though they're frustrated.
I see - that makes much more sense now!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.