Your Achievements
Level 1
0% to
Level 2
Next /
to gain points, level up, and earn exciting badges like the new Applaud 5 BadgeLearn more!
View All BadgesSign in to view all badges
Open Alert Bar

Re: Weighing Options after Undoing HSTS Policy to Exclude SubDomains

Anonymous
Not applicable
‎06-02-2016 11:55 AM
‎06-02-2016 11:55 AM

Weighing Options after Undoing HSTS Policy to Exclude SubDomains

Prior to implementing Marketo, we accidentally set up an HSTS policy to include SubDomains but have since removed that option. However, existing leads/customers who may have visited our main site would now have cached and would therefore see a SSL error when they visit any of their subdomains. Unless they revisit our main site again to reload the new policy without the includeSubDomain, they would see that SSL error. One method we thought of is using a separate domain name for an initial subdomain then going back to our Marketo subdomains once we're more certain that the old policy has been replaced with the new one on users' browsers caches.

However, we know that would have significant tracking implications because of the cookies not carrying over. Does anyone have any other recommendations that don't involve the time and $ of working with Marketo Pro Services (I can't wait 2-3 weeks or spend a ton beyond the budget I had for MA)? We are stuck here!

@Jimmy@rubiconmd.com

0 Likes
1,035
Reply
5 REPLIES 5
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
‎06-02-2016 12:01 PM
‎06-02-2016 12:01 PM

Re: Weighing Options after Undoing HSTS Policy to Exclude SubDomains

We accidentally set up a HSTS policy to include SubDomains but have since removed that option. However, existing users who may have visited our main site would now have that cached and would therefore see a ssl error when they visit any of our subdomains. Unless they revisit our main site again to reload the new policy without the includeSubDomains, they would see that ssl error. (not sure if we need this last part after just reading your post on the other channel? => ) One method we thought about to get around this problem is to use a separate domain name for an initial campaign. Then go back to using our subdomains once we're more certain that the old policy has been replaced with the new one on users' browser caches.

However, we know that would have significant tracking implications because of the cookies not carrying over. Does anyone have any other recommendations that don't involve the time and $ of working with Marketo Pro Services (I can't wait 2-3 weeks or spend a ton beyond the budget I had for MA)? We are stuck here!

One thing you didn't quite reveal is why you want to revert the includeSubDomains. Is it because of the expense of setting up with Marketo?  B/c if that's the only reason, and you already have a wildcard or SAN cert that covers your Marketo subdomain, you can steer your traffic through an inexpensive CDN like CloudFront, where there is no setup or maintenance fee (other than renewing your cert, which you're presumably already doing).

0 Likes
922
Reply
Anonymous
Not applicable
‎06-02-2016 01:12 PM
‎06-02-2016 01:12 PM

Re: Weighing Options after Undoing HSTS Policy to Exclude SubDomains

Hi Sanford, thanks for your reply. Unfortunately, HSTS policy doesn't allow us to cherry pick which subdomains we wish to secure.  It's a binary event. Since we don't wish to secure every subdomain nor would we have the ability to do so due to some of the third party services we're redirecting to, it's better for us to remove that specific policy of including all subdomains.

I'm unsure what exactly would you accomplish by using a CDN? Would you please explain your thought process there? Thanks.

0 Likes
923
Reply
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
‎06-02-2016 02:07 PM
‎06-02-2016 02:07 PM

Re: Weighing Options after Undoing HSTS Policy to Exclude SubDomains

Using a CDN (or, more broadly, any reverse proxy) allows you to secure the first hop of end-user connections even if the true origin server only uses plain text. The clients connect to the CDN over SSL.  The CDN connects to the origin server over plain text. The CDN ignores HSTS policies as directed.

Enforcing a domain-wide "SSL Everywhere" policy may require the use of one or more reverse proxies.

0 Likes
923
Reply
Anonymous
Not applicable
‎06-03-2016 02:51 PM
‎06-03-2016 02:51 PM

Re: Weighing Options after Undoing HSTS Policy to Exclude SubDomains

Thanks again for your reply. Since I'm fairly new to the platform do you know if there will be a problem with referrer not being passed from the CDN to the original server since one is secure and the other is not? That's what will happen when you go from secure to non secure servers.

When users click on the emails we send out using Marketo does the request go to them first before being sent to the CDN? If so then I presume they would have time to embed a cookie for tracking? If not I would imagine that they would have a problem tracking the user without the referrer info?

0 Likes
923
Reply
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
‎06-03-2016 03:00 PM
‎06-03-2016 03:00 PM

Re: Weighing Options after Undoing HSTS Policy to Exclude SubDomains

Referrers are removed by browsers when the end-user navigates from a secure to an insecure site.  The fact that the the CDN server is communicating with a deeper origin server is totally unknown to the browser.  Every day, your browser connects to systems like this (SSL front end, non-SSL back end) and doesn't know it. The referrer is not affected. The browser only sees SSL.

For click tracking, the referrer is not used, so it wouldn't matter whether it's affected or not (though it's not).

923
Reply
Home