MailChimp, what a company. When my company moved our mass-mailing operation to AWS 3 years ago, their mail sending service Mandrill was one of the best in the business with low fees and rich integrated analytics. Then last February they found out their email infrastructure product was allowing competitors to build Mailchimp competitors on top of it and decided to shut it down. We had 60 days to redevelop our apps to use another emailing service, deciding to go with AWS SES in the end.

Once more I must deal with this accursed company, but not because they’re wasting development time trying to extract more money from their customers this time, but rather because of some very bizarre application security decisions.

Being the summer of Ransomware, it was important to send some staff emails reminding them about the dangers of downloading random content from the internet and via emails. It was also time to remind staff about the dangers of clicking dodgy and insecure links in general. Fortunately nearly my entire corporate estate consists of forced-https applications, bespoke and as-a-service, because it’s 2017 after all and you don’t want your corporate apps being man-in-the-middled at coffee shops and the like. So our marketing team sends out our cybersecurity reminder email via … MailChimp.

Nothing wrong with that, it has rich click tracking, templating and the like making it a great marketing platform. But despite all the links in the email being to our https://company.extranetservice.com/ secured corporate extranet, MailChimp rewrote them all to http through their click tracker, linking to the online version of the email newsletter at:

http://mailchi.mp/someid/newslettertitle-someid?e=someid

… and linking every extranet link through to:

http://mycompany.us8.list-manage.com/track/click?u=someid&id=someid&e=someid

The email archive link doesn’t even redirect to https, though our custom extranet is of course https-only.

Featured, Mailchimp developers

Of course both links already support https, it’s just that Mailchimp choose to link to http rather than https for some reason. Taking this up with technical support:

Me: because access passes through http, https security is broken

Agent: Okay, if that’s your main concern, then what I would recommend doing is turning off click tracking in order to stop the redirect.

Eventually they suggested to use someone else’s click tracking:

Agent: So I did some additional research, and it looks like this is expected behavior for our click tracking. What I would recommend doing here, instead of using our click tracking would be to try Google Analytics tracking in order to obtain subscriber behavior data to avoid our redirecting.

However I pressed the issue

I do want to assure you that the security of the application is of the utmost priority. As it stands right now, this would be the expected behavior when click tracking is enabled within a campaign to route through http. As I mentioned, our developers are currently gathering feedback on this behavior and I’ll be sure to pass along the details of this ticket to them.

So there you have it. Taking your perfectly good https links and rewriting them to http is “expected behaviour”.

What a bunch of amateurs.

Discussion on /r/sysadmin/ seems to agree with me that MailChimp is bad and should feel bad