[asterius]

If you look at https://track.emirates.email you will see that it isn't emirates either, but a service provided by Mandrill, an add-on for MailChimp, and the cert is valid for https://mandrillapp.com. Surely they could have figured out how to use SNI.

The fact that your mail client / embedded browser takes you happily to sites with broken certs, giving them a tracking token (and in this case, total access to your booking) is also quite a problem.

[kkm]

Exactly, the fact that the url does not have any expiry (apart from the end of booking), the email providers in this case Mailchimp would also have access to the same.

For the case why browser did not redirect the broken cert, that is because the link sent in the email was over http.

[asterius]

I tested going to a https link via gmail. On desktop chrome, it immediately opens the link (and hence passes the link parameters). On mobile it pops up a privacy error, "Attackers might be trying to steal your information" (NET::ERR_CERT_COMMON_NAME_INVALID), which is certainly the right thing to do. Still have to try it on Office365 and Outlook.

[kkm]

Strange, I always encounter `NET::ERR_CERT_COMMON_NAME_INVALID` even on Gmail with Chrome. What's your test setup?

[asterius]

Doh, you're right. I looked at the site earlier and forgot to click on the red triangle and click "re-enable warnings". Mea culpa.

I checked firefox and it works correctly too.