[ameliaquining]

The real URL will appear in the browser address bar anyway before the user gets the chance to disclose any information. I don't know exactly what proportion of users will notice a well-disguised phishing URL in the email body but not in the address bar, but I bet it's not that high.

The attack prevented is simply having the user open the attachment, allowing the sender to execute arbitrary JavaScript on their machine in the file:// context. (Modern browsers have made the security consequences of this somewhat less dire than they once were, but it's still not something you want to do if you can help it.)

[stan_rogers]

That involves the rather large and utterly baseless assumption that users look at the address bar at all. You probably do. Does your somewhat less-savvy next-door neighbour?

[userbinator]

This observation I made a while ago shows that a considerable number of "average users" used to, and even understood how URLs are formed:

https://news.ycombinator.com/item?id=7678729

If an increasing number of users aren't, then that is certainly a problem.

[ameliaquining]

They don't really look at the URL in the email body either, especially if it's long and intimidatingly technical-looking.

[hnlmorg]

> The real URL will appear in the browser address bar anyway before the user gets the chance to disclose any information

Which is already too late for anyone compromised by a drive-by download attack.

[ameliaquining]

The threat model here is phishing, not drive-by downloads. Browsers have a much greater ability to mitigate those. Also, a drive-by download email doesn't have to impersonate any particular sender, it just has to look like something that a user might want to click on.

[hnlmorg]

> The threat model here is phishing, not drive-by downloads.

I think you missed my point. What if it isn't a phishing attack? Or even, what if it isn't just a phishing attack?

Your suggestion leaves users vulnerable by encouraging them to open suspicious looking links on the off chance it is, at most, a phishing attack.

> Browsers have a much greater ability to mitigate those.

Except when they don't. For what it's worth, I've also seen mobiles fall victim to drive-by download attacks.

> Also, a drive-by download email doesn't have to impersonate any particular sender, it just has to look like something that a user might want to click on.

E-mail worms are spread by the trust relationship between people known to each other (ie a user opening an attachment because it's from a recipient they know). I don't see why drive-by download attacks couldn't exploit the same human condition (ie "Hey bob, check out this link. It's awesome").

In fact I have seen that kind of malware in the wild, now I think about it.

[ameliaquining]

I don't know what you mean by "encouraging". I am taking it as a given that users cannot be reliably prevented from clicking on links in emails. The security benefit of forcing the URL to be displayed before the click is extremely minimal.