Email Tracking URL Security Enhancement

Well said Robb. I consider myself a technical person... most people would consider me a technical person. I had to read every single comment and reply in order to feel like I fully understood it. Security issues in particular are extremely difficult to communicate and understand and, as you stated, require internal iteration and vetting to get right. Exploits are very difficult to understand and illustrations can sometimes help. After reading all of this thread, I would summarize it as follows...

Corrected a potential exploit in which tracking-enabled links could be made to appear as if they were pointing to one Marketo instance domain but which actually redirected to another, potentially unrelated or unexpected Marketo instance domain

Tracking-enabled urls or web links are typically used to track user engagement within e-mails. While e-mail links can point to any 3rd party site, the specific links impacted by this security enhancement are those that link back to a customers own Marketo instance and which have a tracking hash on the end - for example go.friendlycompany.com/XXXYYYZZZ. "XXXYYYZZZ" is a randomly generated identifier which is parsed by Marketo when the link is clicked by a user. Prior to this fix, another Marketo instance (e.g. go.naughtycompany.com) could have created a trackable e-mail link (e.g. go.naughtycompany.com/erhen492df4h4dss3f34fd) and simply replaced go.naughtycompany.com with the domain of another Marketo customer (e.g. go.friendlycompany.com) followed by the same tracking hash (e.g. go.friendlycompany.com/erhen492df4h4dss3f34fd). This would lead a user to believe that, when clicked, the user would be visiting friendlycompany.com when, in reality, the presence of the unique tracking hash created by go.naugthycompany.com (e.g. erhen492df4h4dss3f34fd) in the URL would have resulted in sending them to go.naughtycompany.com's Marketo instance. NOTE: While the exploit scenario requires both companies to be Marketo customers, leveraging Marketo with the intent to deceive or misrepresent the functionality of an electronic message is a gross misuse of this service and may also be in violation of privacy and communications laws which vary by country. If discovered, electronic violations of this nature may result in fine or imprisonment.

==================

At least that's how I would have written it.

Hi Mike,

I have an open ticket with Support because tracked links in our emails are displaying 404 errors for a portion of program members.

"If the domain presented in the URL matches a branding domain we have listed for you, the link will connect just as it should. If the domain in the URL does not match a domain in our database, it will be considered suspicious and will be stopped and a "404 error" will be displayed."

Is it possible that this update has disrupted the use of tracked links in our instance? I noticed that tracked links are not secured. The browser I use updates the URL to https:// but I'm wondering if other browsers are not completing the redirect so it's treated as suspicious and doesn't load.

I would love any thoughts you have on this issue.

Thanks!

Anna

You may be on to something, but careful not to mix different concepts of "secured" -- this particular bugfix relates to security, but not (directly) to http​s://.

AFAIK, tracking (branding) domains are still rewritten to plain-text http​:// in the email itself, then redirected from http​:// → http​s:// only if you have HSTS (a special HTTP header) set up for your click domain.  At least in the instance I just spot-checked, even if your tracking domain has an SSL cert installed by Marketo, email content won't take that into account (which defeats real security, but I digress).

In other words, will be up to your webmaster/DNS team to ensure that people are redirected from the insecure to the secure form of your click domain, and in turn redirected to the original target URL. I don't think it's even possible to turn off plain-text on your branding domain at this time, so even if the person is not redirected from http​://tracking → http​s://tracking → http​://external but only from http​://tracking → http​://external they'll be fine.