SOLVED

mkt_tok links causing a Site Cannot Be Reached error message

Go to solution
Jackie_Mccarthy
Level 2

Re: mkt_tok links causing a Site Cannot Be Reached error message

Yes, I only experience the issue behind my corporate firewall. When I open the email and click through on my phone, it works. When I open it on my work laptop, the link does not work. I have reason to believe that other businesses are experiencing the same thing

 

Can you elaborate for me why HSTS does not apply? Apologies if this is an obvious answer -- I am not well versed. It would be helpful for me to have all the info so I can best describe the issue to upper management.

 

I'm surprised it does not apply because the link that we people have to click through reads http:// rather than https:// which is something I had not noticed/something that did not register with me before. Could this have something to do with it?

 

Thanks again, so much, for your help.

Jackie_Mccarthy
Level 2

Re: mkt_tok links causing a Site Cannot Be Reached error message

By the way, I just tested it on my own computer. The link I sent works in Firefox for me. But  it does not work on Google Chrome.

SanfordWhiteman
Level 10 - Community Moderator

Re: mkt_tok links causing a Site Cannot Be Reached error message

You may have an old cached HSTS entry. But HSTS does not currently affect navigation. If you create a new Google Chrome profile you can see how it works without an HSTS cache.

 

The HSTS header has 2 modes: single domain and domain + all subdomains.

 

When applied directly to a domain (let's say example.com) HSTS forces all future connections to that exact domain to be made over https:. Say you access http://example.com and are redirected to https://example.com and the response from https://example.com does include the HSTS header but doesn't include the includeSubDomains setting. All future visits to example.com, until the HSTS header expires, will go immediately to https://example.com. It doesn't matter if you enter http://example.com in the Location bar — the browser takes you directly to https://example.com and you never encounter the http: → https: redirect again. 

 

When applied to a domain and all of its subdomains, HSTS works as above except the policy is also enforced at all subdomains. So if I go to http://example.com, get redirected to https://example.com, and the https: response not only has the HSTS header but has includeSubDomains as well, then in the future if I go to http://click.example.com (which I've never actually visited before) the browser won't even try to take me there. It'll attempt to open https://click.example.com immediately, because the includeSubDomains is remembered from before. In case click.example.com doesn't even support SSL (it has no cert) or it has a non-matching cert name, then the request will fail. Having a long-expiring HSTS policy that has includeSubDomains but isn't adequately tested on all known subdomains can thus be catastrophic, because everyone who hits the site will try to connect to possibly broken sites and you can't make them all clear their caches!

 

But the current navigation path doesn't include an HSTS header that would affect the click tracking domain.

Jackie_Mccarthy
Level 2

Re: mkt_tok links causing a Site Cannot Be Reached error message

Okay - understood.... So in theory, if I have an old cached HSTS entry and I cannot reach the page, it's likely that others receiving my email also cannot reach the page?

 

How do I ensure this gets redirected to the correct site? Have our development team "includeSubdomains" from the HSTS header?  Or is it that they have to check the cert name?

 

SanfordWhiteman
Level 10 - Community Moderator

Re: mkt_tok links causing a Site Cannot Be Reached error message

Okay - understood.... So in theory, if I have an old cached HSTS entry and I cannot reach the page, it's likely that others receiving my email also cannot reach the page?


It's hard to say if others are affected. Best case scenario: your IT department accidentally had an includeSubDomains policy in place for a very short while, say an hour, before they realized their mistake. Internal users were more likely to be affected in the normal course of work; real world users would only have been affected if they visited the main site during that period.

 

Not-best case: the policy was out in the wild for a week. That naturally would affect exponentially more people, who will have the cached bad entry. 

 

The current HSTS header is not a problem. The question is how long the old HSTS header was out there for people to cache. If it was out there for a long time and thousands of high-value leads can't click your emails, then you're going to have to add SSL to your Marketo account, there's no way to "fix" it. 

Jackie_Mccarthy
Level 2

Re: mkt_tok links causing a Site Cannot Be Reached error message

Okay - thank you so much for all of your input and walking me through the possible scenarios. This has been very helpful.

 

Best,

Jackie

SanfordWhiteman
Level 10 - Community Moderator

Re: mkt_tok links causing a Site Cannot Be Reached error message

OK, good luck with the IT team. Please mark one of my answers as the Solution, thanks.