1. 3
  1.  

  2. 2

    To be honest, I think … this makes sense; I can certainly see how this would protect users.

    If Google wants to know which links are being used in emails then they can already grep them out of there. With this they can also know which links you’re clicking, but what value does Google have in keeping detailed logs for this? I’m not saying there aren’t large privacy issues with Google and its services, but I also think we should be careful to not see everything as part of a big conspiracy on Google’s part. Sometimes these features which could potentially be used to gather data are being added for entirely valid reasons.

    I suppose it’s mostly a matter of trust, combined with a lack of effective regulatory oversight. We don’t really know what data Google is or isn’t keeping from this service, and there are good reasons to not trust Google, but it seems to me efforts are better spent fixing the root issues rather than antagonizing against valid features.

    I don’t see how this is a security concern. And the signature can easily be fixed by just editing the email again (and also a fairly rare concern, although in light of the Hunter Biden email story of last week perhaps it shouldn’t be, at least not for high-profile individuals, but that’s a different issue).

    1. 1

      Outlook does this and it bugs me immensely. It obfuscates the links, but it’s vulnerable to time-of-check-to-time-of-use attacks. If I send you a link to https://my-evil-domain.example, I can see serve different content based on the requester. I can send a picture of kittens to the Microsoft / Google / whoever link checking service (which typically runs from a fairly predictable IP range and may also send an identifiable user-agent string) and then malware to you. More easily, if I know you’re on Outlook / GMail and I’m sending a personal link, I can just send the kittens to the first access and the malware on the second one.

      1. 2

        Are there actual cases of this happening? It seems to me that Google is not so foolish as to not recognise this as a problem (and implement appropriate counter-measures) if this is wide-spread, so I’m not sure how realistic of a concern this is, or what they’re doing to mitigate it.

        Besides, it’s not like Google will report a link as “verified safe” so even if some links bypass this with this method, nothing really is lost. The check is ineffective, but it’s not extra harmful.

        1. 1

          Are there actual cases of this happening? It seems to me that Google is not so foolish as to not recognise this as a problem (and implement appropriate counter-measures) if this is wide-spread

          I don’t know if it’s happening in the wild, but it’s an attack that is intrinsic to this kind of check and cannot be fixed without implementing the checks on the client rather than via a redirect. Antivirus vendors still implement system-call interposition using frameworks that were shown to be vulnerable to a similar kind of time-of-check-to-time-of-use vulnerabilities almost 20 years ago, so I’m much less optimistic than you.

          Besides, it’s not like Google will report a link as “verified safe” so even if some links bypass this with this method, nothing really is lost. The check is ineffective, but it’s not extra harmful.

          The rewriting obfuscates the original URL, so you lose the ability for the user to make judgements about the thing they’re clicking on - you’re training them that everything is safe and the mail service will protect them from bad things.

          1. 1

            The rewriting obfuscates the original URL, so you lose the ability for the user to make judgements about the thing they’re clicking on - you’re training them that everything is safe and the mail service will protect them from bad things.

            Right, this is a good point I hadn’t considered.

            I suppose it’s a trade-off: how many attacks are thwarted by people looking at the URL, and how many are thwarted by this service? I don’t really have an answer to that, but considering that most people are very far from experts on these kind of things – and even experts can have moments of inattention or make mistakes – it seems to me that some automated solution would probably be more effective (but I don’t really have any hard data to back that up). That doesn’t necessarily mean that this is the best automated solution of course.e

    2. 2

      I think this (by all accounts) looks like a terrible feature that needs to be buried. Cool URI’s don’t change, and cool URI’s should not be changed by someone merely delivering email.

      If such a feature would be attractive to individual users, Google could instead use javascript to rewrite URL’s in the browser ‘live’. By forever rewriting the body of the mail Google creates an eternal depency on a temporal service. A hundred years from now, the mail archive you dig up would contain dead links. That is not robust. Also, visiting the link now is time stamped, even when it is forwarded to non-Google users. I’ve seen the Microsoft link checked URL even show up on websites, if people do not carefully copy and paste into e.g. their CMS.

      From a privacy perspective I find such behaviour not acceptable.