Skip to content

Encrypt subscriber emails in unsubscribe url

edited June 2013 in Troubleshooting

Currently the unsubscribe link contains an unencrypted email address in the url. This url can be accessed by anyone to unsubscribe anyone else. Is there some (even basic) encryption that could be done on the email address when passed into the url to prevent this from being so obvious? Or maybe some use of the database to tag or salt user email addresses?

Comments

  • BenBen
    edited March 2015

    Hi @blasthaus,

    Sendy encrypts all IDs and emails in the URL with AES-256-CBC encryption method (used by the U.S. government to encrypt top secret documents) using openssl_encrypt / openssl_decrypt and hashed with your API key.

    If you see the email address in the URL, that means your PHP version is either lower than 5.3 or your PHP does not have OpenSSL support. I checked and saw that you are on PHP 5.3.2, so it's not that. So I checked your PHP info and saw that you do not have OpenSSL.

    You need to install OpenSSL if you want emails and IDs to be encrypted with openssl_encrypt / openssl_decrypt.

    Thanks.

    Best regards,
    Ben

  • BenBen
    edited June 2013

    Once you have Open SSL installed for PHP, your unsubscribe link will look something like this:

    http://yoursendyurl.com/unsubscribe/RrwK2sSKkabBGSVzMTAccs/Krj8dTHThDtKjEwbnUr6WV/EnTWWjr2JgBRy3Jzu9aZGt

This discussion has been closed.