264850 - Warn about fake links (where anchor text looks like a URL but the href goes elsewhere)

Status: RESOLVED WONTFIX

(Toolkit :: Safe Browsing, enhancement)

Description

[Juan Rey]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8a3) Gecko/20040817
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8a3) Gecko/20040817

Some links are displayed as http://www.mytrusteddomain.com but they point to
http://anotherdomain.com ( or to an hidden inline attachment in a email).

I think that Mozilla should warn about this kind of links, maybe with an icon
beside the link and a confirmation message box when clicked.


Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Comment 1

[Erik Fabert]

*** Bug 264853 has been marked as a duplicate of this bug. ***

Comment 2

[OstGote!]

(In reply to comment #0)
> Some links are displayed as http://www.mytrusteddomain.com but they point to
> http://anotherdomain.com ( or to an hidden inline attachment in a email).
for example see Bug 264629

Comment 3

[Boris Zbarsky [:bzbarsky]]

> Some links are displayed as http://www.mytrusteddomain.com but they point to
> http://anotherdomain.com 

Under what circumstances?  Please attach a testcase that demonstrates this
problem using https://bugzilla.mozilla.org/attachment.cgi?bugid=264850&action=enter

Comment 4

[Jean-Marc Desperrier]

Attachment: A very basic demonstration

I think the reporter is refering to something very basic, the fact that when
the text displayed for a link looks like an URL, the user will be less careful
and will forget to check on the status bar that the destination of the link is
identicial to what would be expected from it's text.

I don't know how relevant this is. 
Isn't the real security to just make sure that just clicking on a link will
never by itself be a security risk ? 
We'll never avoid *all* the method to push someone to click on a link, thinking
that it's a *good* link.

Comment 5

[Jean-Marc Desperrier]

Attachment: with js to make the phishing less visible

https://bugzilla.mozilla.org/show_bug.cgi?id=254913#c6 shows a concrete case of
spammer actually trying to use that, and with js to fake the status bar.

In fact, it works somewhat better in browser, as js will much more often be
enabled, even if it seems less usable than from a mail link.

Comment 6

[Juan Rey]

*** This bug has been confirmed by popular vote. ***

Comment 7

[timeless]

note that at least in 2004111805 we show the real destination when you click
(don't release the button until you're sure you're going where you think you're
going).

Comment 8

[Boris Zbarsky [:bzbarsky]]

Assigning to confimer for reassignment to a relevant component.  Please don't
confirm bugs while leaving them in browser-general.

Comment 9

[Christian :Biesinger (don't email me, ping me on IRC)]

certainly not a parser issue, probably gui features; fixing component (and
assignee/qa for that matter)

(hmm, why is xp apps:gui features a core component?)

Comment 10

[Juan Rey]

I am agree. 

(I was not able to find such component neither anything more suitable tha HTML
parser)

Comment 11

[cignangulo@gmx.net]

*** Bug 326425 has been marked as a duplicate of this bug. ***

Comment 12

[Justin Dolske [:Dolske]]

I don't think it likely we will ever fix this. It's a widely used pattern on normal web sites (say, Twitter and t.co links), and warnings would just end up being annoying.