Re: SSL for branding domain not landing page

Well, of course something is being displayed: the http:// or https:// URLs that I inserted into my original email, as well as the JS redirect code, which could be effortlessly read -- and almost as easily altered -- on its way to the browser.

If an email links to https://www.example.com/my/product/page/?some=query a marketer would reasonably expect the pathname/query to be secure on the wire. But it isn't, because it bounces off the insecure branding domain. To be fair, there isn't deeply sensitive information transmitted in our clickable URLs. But we do sometimes include tokens w/ the Salesforce and/or Marketo ID for the lead (for later API work) and it stands to reason that we want to keep those tokens as secure as was the original URL.

More important, though, an interested (and only marginally skilled) hacker could alter redirects to go wherever s/he wanted. Imagine a classic phishing attempt with a lookalike login page, using as cover the lead's/customer's existing comfort with our brand (and the fact that the mail was DKIM-signed and SPF-passed to boot).  I know this attack vector sounds crazy to most Marketo users, but any targeted attack, especially such an easy one to execute, is something we need to cover.

(Turning off tracking isn't a solution because obviously we need that functionality.)

Hi Sanford,

I am not sure I fully understand the risks you are mentioning, since the email link does not show the sensitive info such as Marketo Lead ID. Instead, the link will look like http://go.example.com/AX3543DGDC6854VJGH654CGH56GFH which only Marketo can give a meaning to. Or did I miss something ?

-Greg

I can effortlessly hijack that http:// link in transit and make it point to my site, and the lead will be none the wiser. Can steal their form info and so on, taking advantage of the trusted (DKIM-signed!) nature of the email.

A true https:// link is much harder to hijack.

Thx

-Greg

The true answer is no for the time being but we will be adding that functionality soon.

Here is what we currently support for email tracking links:

We do currently offer a SKU for secure tracking links. When you buy secure tracking links from us, all it means is that we will install your cert in our load balancer so that when the tracking link is hit via https it will work. It doesn't mean that your tracking links will now be converted to https in your emails. In fact, the links will continue to be http and it will still be left up to the browser to determine if those links should be loaded via https instead. Some of our customers have implemented HSTS on their website instructing browsers to load all requests to their domain (and optionally subdomains) securely. In this case, the http link would be clicked in the email but the browser would automatically change it to https. Because we've installed the cert, it would work. If the lead hasn't already visited the corporate webpage, however, the links would continue to behave as always...the user would click a http tracking link and then get re-directed to the https destination.

Here is what we want to support in the future:

For customers that have purchased this SKU, we plan to release a feature that will convert https links in your emails to a https Marketo tracking link automatically.

Justin

Thx Justin,

That's very clear.

-Greg

Thx -- since this post I've rolled it out as-is (HSTS-driven) to a couple of instances and am waiting for the next level.