Tracking links should be entirely over HTTPS
All emailed links from QuickBooks should have a secure endpoint. Every QuickBooks-generated email I receive to an invoice has only the tracking link—one that starts with http://links.notification.intuit.com/.../. That initial link is unencrypted and therefore the data transmitted between my browser and the server is sent in the clear. My default browser is set to block all unencrypted connections and tries to redirect to an HTTPS alternative, which links.notification.intuit.com does not seem to have. This causes me to open up a browser I don't typically use, without the configured security, so I can get the URL to which the tracking link resolves (i.e. https://connect.intuit.com/.../). At the very least, please add a TLS certificate to links.notification.intuit.com.
-
Kyle K commented
This issue is due to usage of sendgrid click tracking. Unless SSL is enabled in sendgrid, this error will continue to arise as the click tracking link is http. Had to manually bypass the unencrypted/certificate message in chrome in order to pay a vendor. My wife is not very computer savvy and immediately closed the browser and accused the vendor of trying to scam us. If I were a vendor I would reconsider using quickbooks as this is amateur software engineering.
-
BD commented
100%. The entire system screams 'sketchy' when that 'unsecure connection' pops up. Considering this entire platform is designed to deal with finance on multiple levels, why the invoicing links don't have an https screams that the company isn't taking security seriously. Or is working with tech that's years old. Please fix this folks.
-
PD commented
The email message has an http link instead of a https link. Are we in 1998? Sure, it resolves to a https link eventually but the opportunity for a man-in-the-middle attack exists from the first click in the email.
You'd think that Intuit understands security. You'd apparently be wrong.
-
Cindy Brown commented
It is very surprising and disappointing for a company like Intuit, dealing with personal and business finance, not to be using HTTPS by default, especially in links to pay invoices. It may seem unimportant in a tracker link but it is quite the opposite.
-
Kevin Le commented
My customers are also having issues with these links.
-
Jared Marcotte commented
This seems like an easy fix. Considering the general focus on cybersecurity these days, I'm surprised that this hasn't been dealt with as of yet.