Sunday, January 22, 2012

Secure click-tracking with base-64 encoded URLs and MD-5 hashing

We have introduced two new settings that control how click-tracked URLs appear in your email campaigns.  The new settings, base-64 encoding and MD-5 hashing, make click-tracked links look more professional and operate more securely. When an email campaign has click tracking on, the URLs are converted into trackable URLs that typically look like this:
This URL is problematic because it exposes the destination URL and is subject to alteration by a malicious phisher.  We've introduced two new settings, the ability to base-64 encode the URL so that it doesn't reveal the destination URL and another to add an MD-5 hash, such that the redirect to the URL will fail unless the hash matches the URL.

A click-tracked URL that is both base-64 encoded and includes the MD-5 hash will look like this.  Notice the addition of the h= parameter and that the l= parameter is now a base-64 string:

A click-tracked URL that is NOT base-64 encoded but includes the MD-5 hash will look like this:

Base-64 encoded URLs look more professional and give recipients greater confidence when clicking. Un-encoded URLs clearly show one URL that has another URL as a parameter, and the appearance of this structure can prevent a recipient from clicking it. The addition of the MD-5 hash prevents tampering with the destination URL.  If the l= parameter is altered, and the link contains the hash, then the user will NOT be redirected to the destination URL.

To set click-track settings, go to Settings --> Tracking --> Click Tracking

Note that this setting applies to click-tracked links in both broadcast email campaigns and transactional email messages. Also note that in the examples above, a branded tracking-domain,, is used.  We recommend that all of our users setup a branded tracking-domain based on their organization's domain.  To read why, see this blog post on tracking domains.

All new JangoMail accounts will have both of these settings on by default.  We recommend that you enable both settings on your own, but in case you don't, all existing accounts will have these two settings enabled automatically over the next few weeks..