Just see what tracking goes on on some zimbra webmail client

Viruses and worms
1

On a https webmail site I found the following tracking code: (clicktale.pantherssl.com|clicktalecdn.sslcs.cdngc.net)
Now I have found that this is a domain for which we have a https only re-write: https://www.eff.org/https-everywhere/atlas/domains/clicktale.com.html
I worked the tracker tracker on what uri’s that re-write has.
And I entered:
-clicktalecdn.sslcs.cdngc.net
-clicktale.pantherssl.com
-cdn.clicktale.net
-s.clicktale.net
-clicktale.com
-https://www.clicktale.com
-https://clicktalecdn.sslcs.cdngc.net
-https://www$1.clicktale.net
-https://clicktale.pantherssl.com

Please see the interesting tracking report attached.

I think a lot of users that open their zimra webmail aren’t aware of what goes on on that https website.

polonus (volunteer website security analyst and website-error hunter)

2

Conclusion even where you open up and send webmails is being used for Google Dynamic Remarketing purposes,
that means they (Google and your ISP) are marketing every click of you on the Interwebs.

polonus

3

And this a very innovative player here in Dynamic Adware Remarketing -Marketo’s
-https://munchkin.marketo.net/munchkin.js The American Lead Tracker, ;D

polonus

4

There is additional tracking threats coming from websites that are re-written to fit https-everywhere.
Checking for instance: https://postview.c-and-a.com
Could not determine the primary certificate for the web server.
For the main domain we arrive at a “the domain name does not match the certificate common name or SAN” error.
Site- No (website: c-and-a.com is not listed in the certificate)
Organization: AT&T Global Network Services Nederland B.V.,US
ssl/http IBM HTTP Server (Derived from Apache)
Warning| http-methods: Potentially risky methods: TRACE
this may not all be a security risk
ssl-cert: Subject: commonName=www.c-and-a.com/organizationName=C & A Online GmbH/stateOrProvinceName=Nordrhein-Westfalen/countryName=DE
no tracking objects, only Web analytics: blocked 1
widgets for browser update and Google Tag Manager
Tracker Tracker confirms: www.googletagmanager.com www.googletagmanager.com widget 1283 2516 2015-03-04 14:07:21 .googletagmanager.com nil Google Tag Manager
This being blocked by HTTP Switchboard extension for me in Google Chrome.

polonus