Opening "Get Started" in a new tab replaces parent home page with an HTTP-only page about website HOT 5 CLOSED

Why this is bad

While example.com is one of the domains reserved by IETF in 1999 for use as example, it resolves to an actual server, managed by IANA which serves a page over HTTP as well as HTTPS.

The domain DNS records are signed using DNSSEC, but it does not protect browsers from a Man-In-The-Middle attack since the page is served over HTTP in this case.

The page example.com could then be replaced by a malevolent actor with a page that silently redirects to a slightly modified version of letsencrypt.com for nefarious purpose.

from website.

The onclick handler in index.html:11 is set to onclick="goog_report_conversion('http://example.com/your-link')", which should be changed to (probably) https://letsencrypt.org/getting-started/.

from website.

The goog_report_conversion function is defined in an inline script in index.html, which gives, after adding missing indentation at the end:

  goog_report_conversion = function(url) {
    goog_snippet_vars();
    window.google_conversion_format = "3";
    var opt = new Object();
    opt.onload_callback = function() {
      if (typeof(url) != 'undefined') {
        window.location = url;
      }
    }
    var conv_handler = window['google_trackConversion'];
    if (typeof(conv_handler) == 'function') {
      conv_handler(opt);
    }
  }

The function defines a callback function which is provided to window['google_trackConversion'] function as the property onload_callback of an options object.

This is where the window location is modified, but only if a url has been provided.

    onload_callback = function() {
      if (typeof(url) != 'undefined') {
        window.location = url;
      }
    }

Thus, removing the parameter altogether should avoid the redirection.

from website.

Note: The snippet seems to come from this page, which describes different patterns of application:

• Add the code to a text link: the onclick handler is on the same <a> element as the href
• Add the code to a button: the onclick handler is set to a button, with or without a href attribute
• Add the code to an image: the onclick handler is set to an image

In the Let's Encrypt home page, the onclick handler has been set to a parent <div> element, which contains a child <a> with the target href.

from website.

The same documentation page for the tracking snippet emphasizes that tracking on page load is the preferred method. The tracking on click is only advised in the case of links to 3rd party pages or to track actions that do not result in a page load (file download, phone call, etc.)

from website.