Level 2

Question

Strict Transport Security Header

Forum|Forum|6 years ago
November 19, 2019
5 replies
5678 views

Hey There,

I sent out an email from Marketo and they are getting a site not secure error. After they get this error the were redirected to the 404 Error page on our Web site. There was a good chunk of our audience, so Marketo is now unusable:( How do we fix this ASAP? #support‌ #customer support‌ #safari‌ #tracked links redirect‌ #redirects‌

Marketo

SanfordWhiteman

Level 10

Please do not obfuscate your domain, it will not be possible to help if you do this.

SanfordWhiteman

Level 10

Singling out Safari 13 is incorrect. Your branding (email tracking) domain, go.aryaka.com, indeed does not have a valid SSL certificate. This is true in any browser that validates the cert.

Rosella_FernandAuthor

Level 2

Cool...thanks for the insight. The go.aryaka.com is what we use via Marketo for tracking, we would prefer just taking them to our main https://www.arkaya.com site which has the SSL certificates enabled. How can we change Marketo to do that?

SanfordWhiteman

Level 10

You can't both track links (Clicked Email) and send people directly to your main website. The 2 are mutually exclusive.

By default in Marketo, all links are tracked, meaning they are rewritten to bounce off your branding domain, then go to the final destination domain. If you want to turn off tracking, you must add the class="mktNoTrack" to your links. And indeed, you need to do this with all your links until you add SSL to your Marketo subscription.

The root cause here is that your web team broke connections to Marketo. They added the HSTS (Strict-Transport-Security) header to your main website without testing it first, and included all subdomains of aryaka.com even though they don't manage those domains. In a nutshell, HSTS requires that all connections be secure, which is great... but only if indeed all of your sites can be accessed securely. Even worse, they added a 1-year expiration (!!!) to the HSTS header, meaning everyone who's seen that header cannot unsee it. Incredible rookie mistake.

Note that if your web team hadn't added that header, you'd be fine not having SSL in Marketo. The branding domain doesn't have to support SSL. It's better if it does -- for the net as a whole -- but is by no means required. But if the link claims it supports SSL (that is, it begins with because HSTS requires it) then the cert must be installed.

SanfordWhiteman

Level 10

Also, please change the title of your thread -- this doesn't have anything to do with Safari in particular and it's going to confuse anyone who comes across it.

Rosella_FernandAuthor

Level 2

Done and Thank you!

SanfordWhiteman

Level 10

Thanks, if you could mark my post above (the one where I first mentioned HSTS) as Correct that would help future searches.

P.S. If you're wondering why it might have seemed like Safari 13 was specifically affected, remember that's a new major release. As such, people who installed Saf 13 likely started with a clean HSTS cache. In contrast, people on other browsers might have been using cached versions of your HSTS header which didn't yet have the ill-advised includeSubdomains directive. If the older header was also set to be cached for a year, people wouldn't fetch the new problematic header until they cleared their cache/switched browsers. Unfortunately, now everybody who has the problematic one will not be able to follow your links for a year.

Rosella_FernandAuthor

Level 2

Thanks. Not sure how to move your other post to the front, but will do so if/when I figure it out. Quick question, on your last post, if we replace the go.arkaya.com domain with an SSL one, or we revise the HSTS header to not include subdomains, can this fix the issue of people who landed from subdomains without SSL? Again. I truly appreciate your help/insight.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded