[kkm]

Exactly, the fact that the url does not have any expiry (apart from the end of booking), the email providers in this case Mailchimp would also have access to the same.

For the case why browser did not redirect the broken cert, that is because the link sent in the email was over http.

[asterius]

I tested going to a https link via gmail. On desktop chrome, it immediately opens the link (and hence passes the link parameters). On mobile it pops up a privacy error, "Attackers might be trying to steal your information" (NET::ERR_CERT_COMMON_NAME_INVALID), which is certainly the right thing to do. Still have to try it on Office365 and Outlook.

[kkm]

Strange, I always encounter `NET::ERR_CERT_COMMON_NAME_INVALID` even on Gmail with Chrome. What's your test setup?

[asterius]

Doh, you're right. I looked at the site earlier and forgot to click on the red triangle and click "re-enable warnings". Mea culpa.

I checked firefox and it works correctly too.