[techsupporter]

> Being security conscious, I hovered over the link and suspected a phishing attack.

> Given I work in finance, this was the only prudent move I felt I had.

At my place of employment, we are instructed to "hover to uncover" every link in an e-mail. Yet every link I get from virtually any automated source reads something like this:

"To accomplish the task you need to accomplish, simply visit us at h t t p s: / / example dot com / some / simple.url.html"

Yet the ACTUAL link is: "h t t p : / / linktracker9 . unrelatedentity4 . subdomain . example dot io / asdflkjawsfq3894gfjwerfgouiewjngwskuvhawesri7gfhwe4i7fghwefv / qwerog9f8weh8w4fhw98ry2938hwf?utm_lol=hahaha&utm_more=roflcopter&utm_howabsolutelylongcanwemakethislink=shadyb1zn3zz&phishing=no&itscool=thisis_definitely_not_phishing&utm_feed=buzz"

I understand, but do not accept, why every link sending program on the planet insists on doing this. It is broken and wrong.

[snuxoll]

I can't even see the real link because our anti-spam software rewrites every single one (so they all look like https://somesubdomain.mimecast.com/linkcheck?something=as8fg...). Even more annoying it loads the URL before you even get to it, so single use URL's like Salesforce password resets get burned before you can use them (we finally got this fixed with our old Proofpoint setup that did the same nonsense, I haven't pestered them to fix it with Mimecast yet).

[sixdimensional]

You've just given me an interesting idea for an extension to HTML itself - an anchor tag / link type where the text displayed can and must only be equal to the href value of the link. Additionally, any rendering client could render such a link with a special visual cue, perhaps, to help the user understand that the visible link text should equal the link href value and only the link href value.

Could just be, maybe you could make an anchor tag which is like, <a href="http://www.google.com"> without a closing tag, and browsers know to render that where the text displayed equals the value of the href. Additionally, clients could detect such links and give them a visual cue to indicate they are "safe(r)" relatively speaking?

Just an idea that popped in when you said this.

[manigandham]

What is the point of that? The vast majority of people don't care about URLs, which is why they don't check it when browsing and why we have links and buttons in the first place. That also doesn't solve anything regarding URL redirects.

It seems you're attempting to solve a spam/security issue through a presentation layer, which really works, especially when it's opt-in to a new HTML standard.

All major client clients already do some form of link scanning, including robots to visit the links themselves. This also feeds into their spam scores and can retroactively block certain links when wrapping it in their own redirects.

[AgentME]

What if the page tries to position another element over the link? If you just say that the safe-link has the highest z-index, then you'll have plenty of awkward cases where it shows through stuff like sticky navbars/headings or dropdowns that happen to be opened over them. And what would the browsers do to show those links specially? Could a webpage do the same around their own links?

[sixdimensional]

Yeah, those are legitimate problems, I agree.

I guess I was thinking, browser vendors and clients that care are already taking measures to inform users if the URL they are browsing is safe / secure (HTTPS enabled UI for example) - I was just trying to think of some way for the HTML source itself to indicate "hey, the value of the href of this link should be exactly 'X', and a user can see that relatively easily, and if for any reason it is NOT 'X' then the link should not be trusted". I mean, the clients could also take active measures to block such links as well... if the "href" is not the same as the expected value for the href (or if it changes), then the client disables the link automatically.

I don't think one would use the "safe-links" I described everywhere (like, not in places where they would bleed through). I think they might be a special use case, maybe for emails and clients that are rendering more document oriented HTML as opposed to web-site/web application type HTML, although browsers could certainly render them.

Of course, those clients would have to be trustworthy too.

I suppose rather than showing any visual cues that the link is enabled, clients could just validate that... if they see a link like this (without text or an ending anchor tag) -> <a href="http://www.google.com"> then the one and ONLY action the link can take is to navigate to the precise href specified, and it would only render the text of the href as the content of the anchor tag.

So maybe a visual cue is not even needed - just enforcement by trustworthy clients.

[exikyut]

This resonates strongly, I reckon. I really like this idea.