Encrypt subscriber emails in unsubscribe url
Currently the unsubscribe link contains an unencrypted email address in the url. This url can be accessed by anyone to unsubscribe anyone else. Is there some (even basic) encryption that could be done on the email address when passed into the url to prevent this from being so obvious? Or maybe some use of the database to tag or salt user email addresses?
This discussion has been closed.
Comments
Hi @blasthaus,
Sendy encrypts all IDs and emails in the URL with AES-256-CBC encryption method (used by the U.S. government to encrypt top secret documents) using
openssl_encrypt/openssl_decryptand hashed with your API key.If you see the email address in the URL, that means your PHP version is either lower than 5.3 or your PHP does not have OpenSSL support. I checked and saw that you are on PHP 5.3.2, so it's not that. So I checked your PHP info and saw that you do not have OpenSSL.
You need to install OpenSSL if you want emails and IDs to be encrypted with
openssl_encrypt/openssl_decrypt.Thanks.
Best regards,
Ben
Once you have Open SSL installed for PHP, your unsubscribe link will look something like this:
http://yoursendyurl.com/unsubscribe/RrwK2sSKkabBGSVzMTAccs/Krj8dTHThDtKjEwbnUr6WV/EnTWWjr2JgBRy3Jzu9aZGt