Skip to content

MailChimp, Secure Forms, and owning mistakes

mc_freddie_color_webDear Reader,

 

Screen Shot 2016-03-30 at 9.25.34 AM

So yesterday (March 29th, 2016) I started a small crap-storm on twitter directed at one of my favorite SaaS vendors, MailChimp. I didn’t mean to, I really do like MailChimp. I’ve been using them since ~2009 and find their service to be awesome. However, As you can see from my tweet, I couldn’t figure out how to make the signup form for Nomad PHP secure.

At first, do no harm

The problem arose when the person running @mailchimp answered and informed me that even though the URL wasn’t secure, the information was securely transmitted the server. I would show a picture of that tweet as well but @mailchimp has removed it. The information passed was of course, wrong.  If the URL is not secure, the information being sent is being transmitted across the wire in clear text. If at this point, you are not sure what the difference between HTTP:// and HTTPS:// is, read “How does HTTPS provide security?”.

The problem is, not only did I know it was wrong, those people who follow me and @mailchimp also knew it was wrong. What followed was a dogpile on @mailchimp, which was not my intent, but then again, I didn’t ask them to give false info either. Honestly, I just wanted to know how to get an encrypted URL to the form for people to join the list.

The answer

Later in the day – I’m not sure if no technical people noticed, or if they just wanted to let things die down – @mailchimp did eventually give me the answer I needed. To their credit, they owned the mistake that was made earlier in the day as well.  If you don’t use MailChimp to manage your mailing lists, this section won’t be of much interest to you.

First, I am talking about a specific type of form, MailChimp’s “General Forms”. These are the forms that are hosted on MailChimp’s servers and they just give us a URL to pass out.

To get there, log into your account and select a list.

screenshot_001

From there select “Signup Forms” to get to this screen.

screenshot_002

And from there, select “General Forms”. You’ll get a screen that among other things shows you the “Signup form URL”. This is what all the fuss is about.

screenshot_003

 

Notice, it’s not secure. When they finally did answer, @mailchimp told me to replace the domain with “list-manage.com” and then I could use https://.

Screen Shot 2016-03-30 at 9.54.29 AM

So I took them at their word, using the info from the screen above, I tried:

https://list-manage.com/bxaPaD

This did not. I simply replaced eepurl.com with list-manage.com and added the s to https://. The instructions were as clear as they could make them in 140 chrs, which is to say, they left out a step.  eepurl.com is MailChimp’s URL shortener. It will not – and apparently never will – handle encrypted URLs. However, Nomad PHP’s eepurl resolves to http://nomadphp.us1.list-manage.com/subscribe?u=b39a511bbe71aa74d27241bb6&id=193666c7d7 and that page is encrypted. A sad note, not all of the elements on the page are encrypted, so even thouhg the data being sent back to the server is encrypted, the page won’t get a “Green Lock”. MailChimp, can we do something about this?

tl;dr

If you use Mailchimp and want to pass around a secure URL so that people can join your mailing list, take the eepurl, paste it into a browser and let the page load, then take that URL and add https:// . Since in Nomad PHP’s case, the form is actually hosted at list-manage.com, I didn’t need to make any changes. It is my understanding that this is not always the case. So make sure that if your forms doesn’t resolve to list-manage, that you change the domain as well.

 

fClose()

Ok, back to the crap storm. MailChimp did not shy away from their mistake, unlike a lot of companies I deal with, they owned it.

Screen Shot 2016-03-30 at 10.07.34 AM

They could have “Clarified” the response, they could have ignored it totally and just kept going. MailChimp did the right thing. While I am bummed that I didn’t get a screenshot of the offending tweet, I actually do appreciate the fact that they deleted it instead of just leaving bad info out there for unsuspecting muggles to run across.

I deal with MailChimp not because they are flawless in their execution – far from it, they pissed me and a bunch of others off recently with their changes to Mandrill – but because when they are wrong, they own it. I respect that, I aspire to that.

I aspire to treat my customers with the same candor. With Nomad PHP, Day Camp 4 Developers, and all my other endeavors, I try to be honest with my customers and own my mistakes.Whether this takes the form of a public apology or a refund to someone who wasn’t 100% satisfied that I delivered what I promised, I would rather take the hit financially or ego-wise than have someone think I wronged them.

Thank you MailChimp for leading the way.

Until next time,
I <3 |<
=C=