Page MenuHomePhabricator

SSL cert for links.email.wikimedia.org
Open, Stalled, NormalPublic

Description

Back in 2015, we turned off our email service provider's (IBM's Watson Campaign Monitor, we call Silverpop) clicktracking feature because the only way we were able to track clicks on a custom domain was over http. The Foundation was moving to adopt an HSTS policy and couldn't have unsecured domains out there. So we started using landing page hits on donate.wiki as an approximation for clicks. That has worked well enough, but has three limitations/pain points:

a) It means we have to get our email performance data from 3 different sources, rather than 2, which slows down the stats process.

b) We aren't able to track clicks to any link not hosted on donate.wikimedia.org

c) We don't have individual clickthrough events recorded in the ESP so it's harder to set up behavioral email programs

Recently, Silverpop changed their policy and are allowing clients to purchase SSL certs for clicktracking domains, so we'd like to switch back to using our ESP for clicktracking. We need to get Ops' approval to use a subdomain for clicktracking again so we can then have them purchase a cert. For now, we need to confirm this information is correct:

2-Character Country: US
State: California
Locality/City: San Francisco
Organization Name (Company Name): Wikimedia Foundation, Inc.
Organization Unit (example: Marketing, Sales, etc): Fundraising
Common Name: links.email.donate.wikimedia.org (this is the subdomain we used before)
Contact Email Address: [REDACTED]

Silverpop will then provide a CSR for us to purchase the cert with. It's recommended that we buy a 3-year cert. As to what level, that is up to Ops, but the user virtually never sees this site load so we don't think we need to spend much on it. Then we provide will then provide the cert to Trilogy and they will provide it to IBM. After that it takes just 2-3 days and we're clicktracking in IBM again!

(please feel free to edit the task description as I'm sure my verbiage isn't totally right...)

Event Timeline

CCogdill_WMF triaged this task as Normal priority.Feb 28 2018, 10:50 PM
CCogdill_WMF created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 28 2018, 10:50 PM
DStrine moved this task from Triage to FR-Ops on the Fundraising-Backlog board.

@Jgreen or @cwdent do you have any thoughts here?

@K4-713 @mepps @Ejegg as FYI

Jgreen added a comment.Mar 9 2018, 2:04 PM

@Jgreen or @cwdent do you have any thoughts here?

Nope, let's add the other teams to the task to start the security reviews as Caitlin said.

@Jgreen and @cwdent Can you please loop in the appropriate teams?

BBlack added subscribers: BBlack, Vgutierrez.

Yeah I do have concerns here. It's going to take some time before I can loop back and explain them, but I just wanted to put the note in now that this is concerning on multiple levels...

Restricted Application added a project: Operations. · View Herald TranscriptMar 22 2018, 4:54 PM
CCogdill_WMF updated the task description. (Show Details)Mar 22 2018, 5:43 PM

Updating task as I want to update the subdomain in the request.

ema moved this task from Triage to TLS on the Traffic board.Mar 29 2018, 7:38 AM
debt added a subscriber: debt.Apr 11 2018, 3:17 PM
debt added a comment.Apr 11 2018, 3:27 PM

Hi @BBlack - can you add your concerns to this ticket....we're needing to get this figured out soon. Thanks!

Bumping this! We are doing a series of newsletter tests with Chapters this quarter and it is really important for us to have access to click data to pages outside donate.wiki. We have already sent some emails out having to forego some data, but there are more going out over the next 4 weeks and it would be great to get what clicktracking we can. Not to mention there's a real human cost for the amount of time it takes to manually pull the data from another source.

Happy to answer any questions needed!

Dzahn changed the task status from Open to Stalled.Apr 17 2018, 5:48 PM

What's the data? From our clicktracking efforts what will we be collecting?

We're collecting click engagement off fundraising emails (actual
fundraising appeals, or informational newsletter emails) that are sent out
from the 3rd party email service provider we use. We want to use their
clicktracking system so we can get click data for sites outside of the
donate.wikimedia.org domain.

SSL certs are what allow your browser to show you a green bar and
guarantee that if you see that, you are talking to the Wikimedia
Foundation. If we allow a 3rd party to impersonate us using an SSL cert
it breaks that trust model. I personally think it's an important part
of making the internet safer for less technical people.

That being said, afaik there is no canonical rule that says it can't
mean "the Wikimedia Foundation and its trusted affiliates". If the
Certificate Authority (the org we buy them from) didn't want them to be
shared, it would say so in the terms of service. Of course it's
probably safe to assume their main motivation is profit.

Anyway I think the nit-picky definition is probably up to legal? I'm
sure this practice is entirely normal in a saas world. And CAs are an
absolute racket anyway so I am ambivalent.

Would conversion would be negatively affected by using a Silverpop URL
for the forwarding page? I would not be offended by that as a donor, I
feel like people know WMF is small and it's normal to farm out emails.

</$0.02>

Ejegg added a comment.EditedApr 30 2018, 5:26 PM

@cwdent we formerly had silverpop-hosted urls in the email links, and lots of people thought they were phishing spam

We used a Silverpop URL for a few months and got enough complaints from
donors that our Donor Services team asked us to turn clicktracking off. We
didn't track clicks at all until fr-tech was able to build us a solution.

Thanks for the meeting on Thursday, everyone! I'm following up with IBM about potentially:

  • getting them to obtain a DV cert
  • reviewing their SSL setup

I'm still gathering information, but I think I got some helpful information regarding point #2. This is an SSL Report for another Trilogy client using a custom domain with IBM for the same purpose as we would be: https://www.ssllabs.com/ssltest/analyze.html?d=links.e.uso.org

@cwdent or @Jgreen would one of you check this out and let me know if it has enough info to determine if IBM can meet our HTTPS standards? I figure we should try to answer that question first.

The problems I see are:

  • content served over http
  • weak DH supported (https://weakdh.org/) resulting in "B" grade from Qualys

I don't think the 2nd is a blocker (yet, according to https://wikitech.wikimedia.org/wiki/HTTPS) but it sounds like the 1st is. @CCogdill_WMF can you see if they're willing to change their handling of http to redirect to https rather than serving a page?

Thanks Casey! I'm waiting for a reply. Just bumped it, FYI.

Sorry, I missed the above scan link earlier. The "weak DH" issue isn't mentioned explicitly on our policy page, but is definitely an issue. I think maybe the policy page wording is defective, but basically if ssllabs.com isn't showing an A+, it's a fail. I'll amend it a bit to be more explicit about that.

I reran the SSLLabs analyzer on links.e.uso.org today and it's still scored a B, looks like for several issue (still including weak DH).

CCogdill_WMF updated the task description. (Show Details)Sep 21 2018, 3:48 PM

@CCogdill_WMF @BBlack there's no change as far as I can see in Trilogy's SSL rating according to Qualys, still a B with the main issues being weak ciphers and weak key exchange. Is there any chance of them improving their security? How do we proceed if not?

I would choose not to proceed with a vendor who cares so little about security. The "Weak DH" issue, in particular, made security headlines back in 2015. Who knows what other security matters they've been ignoring for that long.

@Jgreen @BBlack thanks for bumping this and continuing to check. It does look like the SSL rating has bumped up to an A: https://www.ssllabs.com/ssltest/analyze.html?d=links.e.uso.org Though I'm not sure if that's using the same rating system as Qualys. Has anything changed from your end?

If not, I do hear your concerns. I would like to talk to relevant parties at fr-tech about setting up a way for us to perform easy redirects from donate wiki to other pages, such as the blog, so we can track clicks using our own systems.

@Jgreen @BBlack thanks for bumping this and continuing to check. It does look like the SSL rating has bumped up to an A: https://www.ssllabs.com/ssltest/analyze.html?d=links.e.uso.org Though I'm not sure if that's using the same rating system as Qualys. Has anything changed from your end?
If not, I do hear your concerns. I would like to talk to relevant parties at fr-tech about setting up a way for us to perform easy redirects from donate wiki to other pages, such as the blog, so we can track clicks using our own systems.

Qualys is the same company that hosts SSLLabs, and this is a major improvement. @BBlack do you see any remaining issues with this?

Jgreen added a comment.May 6 2019, 2:54 PM

@BBlack circling back on this, do you still see any issue now after the Silverpop SSL improvements?