Skip to content

Instantly share code, notes, and snippets.

@lanterndev

lanterndev/mailchimp-https.md

Last active December 27, 2015 11:59
Show Gist options
  • Save lanterndev/7322399 to your computer and use it in GitHub Desktop.
Save lanterndev/7322399 to your computer and use it in GitHub Desktop.
Download ZIP
MailChimp and https
Raw
mailchimp-https.md

Dear MailChimp Security Team,

First off, thanks for the great work! The Lantern team has been using MailChimp for a while now and we're very grateful for the service.

We're concerned though that when our users POST their email addresses to https://getlantern.us2.list-manage.com/subscribe/post?u=0ac18298d5d0330dcda8f48aa through the signup form on our site, the page MailChimp serves them over https loads javascript over http (e.g. http://downloads.mailchimp.com/js/jquery.mailcheck.min.js). This makes it possible for a man-in-the-middle attack, where instead of getting the javascript they're supposed to get from your server, users get attacker-controlled code. The malicious code could harvest their email addresses (which get rendered in e.g. the "already subscribed" error), trick them into submitting more information to the attacker, etc. This isn't just a theoretical concern. Our users actually do live in places where attacks like these are unfortunately all too common.

Your http://kb.mailchimp.com/article/i-got-a-security-alert-in-my-browser/ page says:

If you see security alert messages, it's because MailChimp supports SSL encryption throughout our entire application.

If this is true, it should only take one of your developers a couple minutes to change the hardcoded "http://" urls in your subscribe forms to "//" protocol-relative urls, so that users viewing the page over http receive the javascript over http, while users viewing the page over https receive the javascript over https. This would also get rid of the mixed content warnings for your users that your http://kb.mailchimp.com/article/i-got-a-security-alert-in-my-browser/ page has to take such care to explain. Even better would be to just serve this content over https only, and serve redirects from http urls to https urls. Links in email campaigns that have been rewritten to enable MailChimp click tracking should also use https urls.

Thank you for your consideration, and we hope this is helpful. Thanks again for the great work on MailChimp.

_pants from Team Lantern

@garychapman
Copy link

Did Mailchimp ever address this issue, or was a workaround ever found? We're well into 2015 and I'm still seeing Mixed Content error messages in my developer console.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment