7 votes

A little thing that might form some trouble (phising)

As can be seen in this post in ~test it is possible to secretly refer to another webpage than the one actually typed. It's not the biggest priority as of now, but it would be nice to see this fixed before Tildes will go live.

In case the ~test post gets deleted, here's an example:
https://innocent.site/

6 comments

  1. [4]
    crius
    Link
    Sorry but this is a problem that cannot really be on the shoulder of the website that host content produced by the users. How you would manage something like: ".... and finally I found this...

    Sorry but this is a problem that cannot really be on the shoulder of the website that host content produced by the users.

    How you would manage something like:

    ".... and finally I found this website that has been my salvation, here you can ...."

    I'm afraid users needs to be educated to use their brain and eyes in this case.

    Most browser already have a sort of index of potentially malicious website as well, doesn't make sense the every website also keep track of that. You could do what "reddit is fun" does and show you the URL of the link you tapped before actually loading it but that's just because on mobile you could touch the wrong link accidentally. On a browser it would become clunky and detrimental to the UX.

    7 votes
    1. [2]
      Charlie
      Link Parent
      I agree with you that it shouldn't fully be the website's duty to take care of such things, but in the example you've given, it's clear that the text isn't equal to the actual URL, so I (and many...

      I agree with you that it shouldn't fully be the website's duty to take care of such things, but in the example you've given, it's clear that the text isn't equal to the actual URL, so I (and many others) would much more often check the URL. If a new-comer wouldn't know about hiding URLs behind text, I think they'd much quicker tap a malicious link, because they think the blue text is the actual website. Just my idea though

      2 votes
    2. SourceContribute
      (edited )
      Link Parent
      It's kinda easy to filter some of these things; like if the url is an IP address or has too many sub-domains or too many random characters. I wouldn't be opposed to some basic URL filtering which...

      It's kinda easy to filter some of these things; like if the url is an IP address or has too many sub-domains or too many random characters.

      I wouldn't be opposed to some basic URL filtering which happens on other sites too.

      1 vote
  2. [2]
    Charlie
    Link
    I don't know how other sites handle this issue, but I'd check that, if the message contains a URL, that domain matches the one in the actual URL. If it doesn't, maybe add a warning after clicking...

    I don't know how other sites handle this issue, but I'd check that, if the message contains a URL, that domain matches the one in the actual URL. If it doesn't, maybe add a warning after clicking it, before going to the actual webpage.

    3 votes
    1. eritbh
      Link Parent
      As far as I know, they don't. There's nothing preventing you from doing something like this on Reddit or most forums I know of at least. Discord doesn't let regular users set custom URL titles,...

      As far as I know, they don't. There's nothing preventing you from doing something like this on Reddit or most forums I know of at least.

      Discord doesn't let regular users set custom URL titles, but bots can, and they basically have a warning box that comes up telling you where the link actually goes. I guess you could do that, but personally I find it annoying most of the time as you can find where a link goes by hovering over it and looking in the bottom of the window in most browsers. If this site were gonna do something like that, there should at least be an option to disable it for users that understand what they're doing - though your idea of checking if the domains match would definitely make it less annoying/frequent at least.

      5 votes