Non-HTTPS Link for Donations in Alert Emails

[mvastola]

See https://bug-alert.slack.com/archives/C02TBUW5NKB/p1648664439269079

The click tracking service used in emails about security vulnerabilities seems to only be used on the donation link and is hosted at http://url7360.bugalert.org/. This domain, however is not available via HTTPS (at least not with a certificate that browsers will accept -- the domain names on the cert don't include url7360.bugalert.org). Further, if you manually accept that cert, the HTTPS connection will send an HSTS header, preventing further access to this domain (via HTTPS or otherwise).

Possible remedies include:

• Disabling click tracking and linking directly to the donation page
• Replacing the TLS cert on url7360.bugalert.org
• If possible, using one of the domains the TLS cert is signed for rather than the url7360.bugalert.org hostname

[sullivanmatt]

url7360.bugalert.org is maintained by SendGrid (CNAME) for link tracking stuff. Attempted to turn off link tracking entirely, but the notice still sent out with the tracking URL replacing the URL baked into the actual message template. Needs further investigation into how to disable.

[sullivanmatt]

Fixed in SendGrid