Open
Bug 278490
Opened 20 years ago
Updated 4 years ago
Make link href clear in mail window to thwart phishing attacks
Categories
(SeaMonkey :: MailNews: Message Display, enhancement)
SeaMonkey
MailNews: Message Display
Tracking
(Not tracked)
NEW
People
(Reporter: hjtoi-bugzilla, Unassigned)
References
Details
Attachments
(1 file)
11.69 KB,
image/png
|
Details |
Make link href clear in mail window to thwart phishing attacks
A lot of phising email comes in that looks like it is from a legitimate sender,
but when you mouse over the links or view source you can see that the links go
somewhere else than you expected.
Like I mentioned, you can mouse over the link, and if JS is disabled/right
options set, the mails can not spoof the status bar.
However, I think we could do better job than just displaying link destination in
the status bar. I don't even think inexperienced users are going to look at
status bar.
I thought of several possibilities, although none strike as really good:
* Add CSS to always display link href (not perfect because it messes layout)
a[href]:after {
content: " [" attr(href) "]";
font-weight: bolder;
}
* On hover, replace current link text with real href (not perfect because
you may not expect this, and may miss when just clicking fast)
* Display tooltip on hover with real href (not perfect, because it interferes
with regular title attributes).
* Replace content that looks like URL but is different than href, with real
href (not perfect, since you can bypass this by making links out of
regular text).
* Make user go through additional step: 1) Click link, 2) dialog or some such
opens with text "Do you want to open link to site XXX" (not perfect because
of several reasons...)
Comment 1•20 years ago
|
||
Google displays a fat yellow warning box, see attachment.
12 kb screenshot of a phishing mail in my gmail spam folder.
There is a warning in the header:
Return-Path: <aw-confirm@ebay.com>
Received: from aspserve-psm5m1 (20-147-118-80.kaptech.net [80.118.147.20])
by mx.gmail.com with ESMTP id o9si79818cwc.2005.01.15.13.14.03;
Sat, 15 Jan 2005 13:14:04 -0800 (PST)
Received-SPF: softfail (gmail.com: domain of transitioning aw-confirm@ebay.com
does not designate 80.118.147.20 as permitted sender)
From: "eBay Billing Department" <aw-confirm@ebay.com>
Subject: Credit/Debit Card Update
The Phishing Link:
<p>Please update and verify your information by clicking the link below: </p>
<p><a
href="http://216.117.155.116/ebay">https://signin.ebay.com/ws/eBayISAPI.dll?SignIn</a></p>
<p>If your account information is not updated within <strong>48 hours</strong>
then your ability to sell or bid on eBay will become restricted.</p>
This looks like a duplicate of Bug 254913 (and note Bug 254913 comment 3) for me.
Reporter | ||
Comment 3•20 years ago
|
||
(In reply to comment #2)
> This looks like a duplicate of Bug 254913 (and note Bug 254913 comment 3) for me.
Very similar, but not exactly the same. I'd say, if bug 254913 was implemented
and worked percfectly, then this bug would be irrelevant. But most likely bug
254913 can't be implemented to be 100% correct all the time, in which case there
is some value in implementing this bug.
Comment 4•20 years ago
|
||
(In reply to comment #3)
> there is some value in implementing this bug.
Also some annoyance. I don't *want* the layout messed up due to the 'content'
styling if the URL is non-phishy; I don't *want* to go thru a warning dialog
when clicking on a legitimate link; and I don't *want* the tooltip and hover
replacements you suggest on *any* mail. What I *do* want is the solution at
bug 254913: something that checks the displayed URL-like text against the actual
href of the link, and flags it visually, with a bar or with, say, a WARNING icon
that appears right next to the link.
A truly inexperienced user isn't even going to understand the difference between
the displayed and and actual URLs. Therefore, the only suggestion that really
makes sense for novices is the warning dialog. So, I could live with a dialog
that pops up on clicking a link that read something like:
Warning: following links can lead to inadvertant disclosure of your personal
information or to infection of your system with viruses.
[] Do not show this dialog again <--- VERY IMPORTANT
Comment 5•20 years ago
|
||
(In reply to comment #4)
> What I *do* want is the solution at bug 254913: something that checks the
> displayed URL-like text against the actual href of the link, and flags it
> visually, with a bar or with, say, a WARNING icon ...
> A truly inexperienced user isn't even going to understand the difference
> between the displayed and and actual URLs. Therefore, the only suggestion
> that really makes sense for novices is the warning dialog. So, I could live >
with a dialog that pops up on clicking a link that read something like:
>
> Warning: following links can lead to inadvertant disclosure of your
> personal information or to infection of your system with viruses.
>
[] Do not show this dialog again <--- VERY IMPORTANT
A truly inexperienced user should never get a chance top click on
[] Do not show this dialog again <--- VERY IMPORTANT
It is even hard for a experienced user
1. to know the option exists
2. to know a choice has been made
3. to know how to reverse this choice
That is the comfortable, unbloated about:config way of delivering you all the
wisdom you need, giving you the capabilty to change all what you want to.
Every '[] Do not show this dialog again' is for the people liking the easyness
of Win2k, WinXP, IE, Outlook installing you the most modern software.
Mostly you don´t want it, buy additional ANTIVIRUS software to get rid of these
installations, but
1. you want your computer to install everything you click onto
1a) You know, your computer can click itself
2. you want your antivirus/firewall to prevent anything against the rules from
installing.
2a) you know your computer can tell your personal firewall how to behave.
3. you know it is forbidden to install Spyware against your will
3a) you know it´s for your best web experience.
4. you know Capital punishment prevents murder.
4a) true, you don´t know a murderer.
5. you know you won´t die if you´ve got a life assurance
5a) true, you´ve got a life insurance
I would be happy to see a warning like google mail presents
I wouldn´t mind if no warning is shown as I´m one of the people who will never
fail on email ;-) but what about the rest?
Imho if a mailclient should be seen safe there should be no possibility
to use HTML, images, css, and most important no possibility to override.
The big IE advantage is, you are asked no important questions,
but who´s advantage is this?
1. market share of IE
2. utter satisfaction not to be asked questions you can´t answer?
3. satisfaction not to be asked questions you can answer better,
but won´t take a risk?
If your CEO tells you it is secure, it is secure!
Depends on: 254913
Comment 6•20 years ago
|
||
xref bug 279191 -- patch in progress.
Comment 7•20 years ago
|
||
*** Bug 287095 has been marked as a duplicate of this bug. ***
Updated•20 years ago
|
Assignee: sspitzer → mail
You need to log in
before you can comment on or make changes to this bug.
Description
•