Hacker News new | ask | show | jobs
by Alex3917 2803 days ago
Every time a link is clicked, send an event to the server with the URL so that it can be tracked. If the URL is already known to be malicious when the page is generated, either don't include the URL or use javascript to intercept the click event and display the interstitial. If links need to be checked for validity at the moment the user clicks them, then just wait for the 200 response and do the same thing, the performance would be identical either way.
1 comments
peterhunt 2803 days ago
And you think running that type of JS on the page is more secure than a simple redirect? What benefit do we get by adding all of this complexity?

Also -- anyone who views a copy/pasted version of this content won't get this protection.

link
Alex3917 2803 days ago
> And you think running that type of JS on the page is more secure than a simple redirect?

It's not more secure, but it's not less secure and it doesn't break the web. It also shouldn't add an appreciable amount of complexity, given that most of the heavy lifting to sanitize, parse, and format UGC content already happens on the server. E.g. if you're already turning UGC snippets into an AST on the server so that you can cleanly syndicate them in different formats, having the AST generate some js around URLs isn't a big lift.

link
peterhunt 2803 days ago
Requiring js for your security features to work adds more attack surface area but yes, it can be mitigated. But so much extra complexity!

I still don’t understand why you think url shorteners break the web.

link
Alex3917 2802 days ago
> I still don’t understand why you think url shorteners break the web.

How do you know where the links resolve to once FB goes out of business?

Given the fact that there are still lots of people whose entire job is translating 6,000-year-old grocery receipts from Sumeria, it's not at all unlikely that tweets being written today will be still be widely studied and considered important 10,000 years from now. But those short links are unlikely to resolve for even the next 20 years.

Also, adding js should no longer add more attack surface now that we have things like subresource integrity in addition to CSPs.

link