1. 18
  1.  

  2. 22

    A more serious problem: the text the browser shows when you hover over a link can’t be trusted. The website can swap out the href right as you click it. Google search does this, for instance.

    For a demo, see here.

    1. 11

      This raises an interesting point and one that I think browsers could address. Much like they carefully craft information display to help people recognize being on genuine/secure sites, one can imagine a browser feature where if the link text contains a link and that link doesn’t match the href, a warning is displayed.

      1. 3

        It’s honestly somewhat shocking that with the amount of thought that goes into other browser security features, this one was overlooked. This also feels particularly dangerous in HTML email.

        1. 1

          I like the idea. I’m somewhat concerned about false positives with URLs that don’t match but redirect or even with typos. So the warning has to take that into account and shouldn’t be too scary. Or you need to perform a request to detect redirects or implement a heuristic etc, but all that is prone to mistakes.

          This is likely more fun on mobile which doesn’t have a mouseover (do people still check that?)

          1. 1

            Facebook’s tracking links would break. Probably a good thing, but I’m not sure everyone will agree.

            1. 1

              It could be presented in a way that just makes that more obvious and gives the user the choice to follow the displayed link or the href. Then users could chose to be tracked or not. Definitely with you that it’s a good thing and that not everyone will think that—clearly the people who make trackers think they’re okay at least.

              1. 1

                Same with the links in google search results, twitter (t.co), slack, …

            2. 7

              This article actually made me consciously aware that I habitually hover my mouse cursor over a link before clicking it, to see what the pop-up at the bottom of the screen says is the real URL. I did this before I clicked the link, like I have apparently trained myself to do with any link over many years of browser usage, and immediately noted that the link was to a different page on this person’s site rather than the wikipedia article. I thought for a moment that the “real” trick might be faking the text in that pop-up, but that wasn’t it.

              1. 4

                I do this as well but you can bypass this with JavaScript, a user will see a different link on hover then the one you navigate to after clicking it.

                1. 2

                  When I’m feeling particularly distrusting (i.e. by default, when not on a site I’m pretty confident won’t be engaging in such sleaziness), I often opt for a right-click (or perhaps even a shift-right-click as I recently learned can be used to bypass right-click interception fuckery), copy the link, and paste it into a new tab as an extra line of defense.

              2. 5

                I used to use this trick to rickroll people. Good times, good times

                1. 3

                  At the very least, FairMail on android is checking it for e-mails.

                  When you click an url link, it shows a warning popup if the address is different fron the text (common in newsletters, where it says “if you don’t see the button follow this link” but the link is proxied thru a click tracker)

                  1. 3

                    Am I mistaken or does Thunderbird handle this well? Our emails go through urldefense.proofpoint.com, and sometimes, if the text is the original link, it shows a pop up asking me which link I want to go to–the original, or the proofpoint proxy.

                    1. 1

                      This isn’t just a problem with browsers/the web: at $dayjob we’ve received a number of spam mails that tried that trick. I wrote a hacky regex to feed to our spamfilter that recognizes the simple cases of mismatched text<->href. Ah, the joys of “parsing” HTML with regex; t’was fun.