57

If I bring the mouse pointer to a link, but not click on it, I can see in the left/bottom corner that it displays the URL of it.

Q: Could this URL (in the left/bottom) be different from the one that my Web browser will go? (don't count that server side can be redirected with an eg.: HTTP 302)

Question is just because of knowing that telling the users to check the left/bottom of the browser before clicking on the link is a good/usable thing regarding security.

Please provide authentic links/descriptions too :)

PS: maybe if JavaScript is enabled, it can be done that the user will go to another website, different from the one displayed in the left/bottom?

enter image description here

UPDATE: Does disabling JavaScript with ex.: NoScript solves this problem 100%? (opened a bounty for this part of the question) - because it looks like it could be prevented with NoScript.

newuser999
  • 747
  • 5
  • 9
  • 14
  • 5
    Example: http://jsfiddle.net/qn4jF/embedded/result/ – Adi Aug 30 '13 at 11:37
  • 2
    You can't trust them. There have been a million different cases over the years where browsers have been tricked into doing something other than what the user expected. If you can't absolutely trust the page you have visited, just close the browser window. Don't touch anything. Providing links to past situations isn't very useful, because new techniques are invented regularly. Seriously, just don't trust it. – Abhi Beckert Sep 01 '13 at 03:15
  • Should I open another questions regarding: "Does disabling JavaScript with ex.: NoScript solves this problem 100%?" or Can I put a bounty on this Question regarding it? – newuser999 Sep 02 '13 at 13:51
  • To answer the second part of your question, judging from all the answers posted so far, yes, disabling JavaScript would work. But it's not exactly a great solution, as you'd have to disable Javascript completely and break most websites these days. – demize Sep 02 '13 at 15:27
  • 3
    I disabled JavaScript and went to this site: http://jsfiddle.net/48KFV/2/show/ it still worked :) so disabling JavaScript can't help (used Firefox). – newuser999 Sep 02 '13 at 15:51
  • http://jsfiddle.net/48KFV/2/show works without javascript. The "statusbar" is fake, and looks fake to the paranoid, but I imagine the average person who just wants to get his work done may not notice the difference. – Terrel Shumway Sep 06 '13 at 18:11

8 Answers8

61

Could this URL (in the left/bottom) be different from the one that my webbrowser will go?

Yes.

  • for a simple link click, the whole click could be captured by JavaScript and made to do something else, including navigating to a different page

  • the link could be substituted onmousedown (this is common behaviour for some link-click tracking scripts)

  • for browsers like Chrome where the address pop-up appears inside the page area, that pop-up could be faked with JavaScript and page elements. In general you can only trust browser UI that appears in the chrome border, outside of page control.

Consequently the address pop-up is a convenience feature but offers no security function.

bobince
  • 12,494
  • 1
  • 26
  • 42
  • So, at least, if we have NO JavaScript, we should be safe, but not otherwise? – Marcel Aug 30 '13 at 09:04
  • 6
    Not really. You could still fake an address pop-up using only `:hover` CSS. – bobince Aug 30 '13 at 09:19
  • 1
    @bobince: Can you provide an example? – Marcks Thomas Aug 30 '13 at 14:09
  • 10
    @MarcksThomas this should proove the point (test in Chrome): http://jsfiddle.net/48KFV/show/ I just didn't bother with the correct css and transition :D – Esailija Aug 30 '13 at 14:27
  • @Esailija and bobince. While it's a nice example, you still need JavaScript to open the new window and "redirect" to the new evil URL. Moreover, the browser's original status "bar" has the highest order priority and will always lay on top of the one created with CSS et al, so using `href` won't help. – Adi Aug 31 '13 at 08:11
  • 1
    @Adnan: still more trickery is possible. For example imagine a `
    ` set to post to URL A, with a hidden submit button (you don't get an address popup for this), with Esailija's CSS demo showing URL B.
    – bobince Aug 31 '13 at 11:31
  • 4
    @Adnan Here is a working example: http://jsfiddle.net/48KFV/2/show/ it even works for middle-mouse click. http://jsfiddle.net/48KFV/2/ to see the code (cannot run here because jsfiddle runs the page in iframe and there are x-frame-options deny) – Esailija Sep 01 '13 at 11:52
  • @Esailija This is actually pretty neat. Thanks for posting it. – Adi Sep 01 '13 at 12:22
  • I accepted this as answer because Esailija's second example works without JavaScript :) – newuser999 Sep 02 '13 at 15:32
  • 2
    "_for browsers like Chrome where the address pop-up appears inside the page area_" it seems that the Chrome designers did not bother with a reserved, separated, impossible to spoof status bar (such as the FF status bar if you disable JS changing of the status) because they did not believed the status bar had any security benefits. – curiousguy Sep 03 '13 at 05:49
25

Yes, the URL a link will eventually take you to can be different than that shown on the status bar.

One of the possible ways to do this is to listen to the mousedown DOM event of the link element and change the link inside the event.

To observe this you can go to Google search, open the developer console and click on a result link.

When you hover your cursor over the link:

Hover over

When you hold down the mouse button, the link is changed, but the status bar doesn't change in Chrome:

Mouse down

When you move the mouse a little bit, the status bar in Chrome is updated:

Mouse move

(Actually I think someone should file a bug report on http://crbug.com.)

Alvin Wong
  • 350
  • 2
  • 6
19

No, you can't trust it.

The most prolific example of this? Take a look at Google search results, for example. Mouse over a result and you get one link in the status bar, right click and copy the link to your clipboard and you'll see you have a completely different one.

The way Google do it is super smart (and super simple). When the HTML comes back, you have the correct URL in the HTML link's href, but they alter it as soon as your browser registers that your browser picks up a "mouse down" event on the link

BenLanc
  • 443
  • 2
  • 9
  • 7
    Simple, yes, but way way way annoying. – RBerteig Aug 30 '13 at 21:05
  • @RBerteig Yes: some people copy and post the Google feedback URL to forums instead of the destination URL. Google should use PING (and browser should enable PING whenever they allow this destination hiding). – curiousguy Sep 03 '13 at 04:56
  • @curiousguy PING? – BenLanc Sep 03 '13 at 14:33
  • 4
    @MrJamin "The ping attribute, if present, gives the URLs of the resources that are interested in being notified if the user follows the hyperlink. The value must be a set of space-separated tokens, each of which must be a valid non-empty URL. The value is used by the user agent for hyperlink auditing" [Links created by a and area elements](http://www.whatwg.org/specs/web-apps/current-work/multipage/links.html) See also http://jibbering.com/blog/?p=192 – curiousguy Sep 03 '13 at 20:55
  • That's why you use keyboard navigation on google result pages. Very convenient and no mousedown events. Finally I found a use for the context-menu key. – Robert Jun 05 '17 at 21:10
11

Question is just because of knowing that telling the users to check the left/bottom of the browser before clicking on the link is a good/usable thing regarding security.

My non technical answer (unlike other answers which focus on the power of JS and CSS):

I think this idea of checking is absolutely not realistic (bordering on crazy) and as such nefarious for real-world, realistic computer security.

  • Even if you disable changing the status bar in JS (why would a Website really need to alter the status bar anyway?),
  • even if you disable JS (which breaks many nice Web features) so that the destination of a link cannot be changed with JS as shown in other answers,
  • even if you go as far as disabling automatic HTTP redirects (which would be very annoying on some Websites)...

the idea of carefully checking the target of every single link is a perfect example of "security as the enemy of usability" thinking: it is not only impractical, it is so impractical that users would not only never apply this principle more a few minutes, they might even be led to believe that secure handling of a computer is just too difficult and not worth it.

When you are giving security advice, you are not just stating a recommendation appropriate in a particular context, you are sending a message about computer security in general: security is easy, security is not easy but attainable, or security is just too difficult.

If you give an advice which is clearly too difficult to seriously apply every single time, every single day, you are giving the impression that computer security is all about perfectly following awfully stringent requirements, something mere mortals cannot really do.

If you ask way too much, people simply give up. And "security experts" waste their credibility.

This is why security recommendations cannot just be given by semi-gods "security experts" offering their "science" to mere mortals; security recommendations must be tested in the real world; implementation of recommendations must be observed, measured. When experience shows the recommendation is not followed, it must be changed to become useful in the real world.

telling the users to check the left/bottom of the browser

Another issue is, even if you could find some users willing to "check" the target of every single link, these users would not even know how to do the "check", because they almost never have any idea where a link is supposed to point to.

The recommendation is not just way too hard to practice everyday, it is confusing.

curiousguy
  • 5,028
  • 3
  • 25
  • 27
6

You used to be able to do this by setting the window.status property using Javascript. See this link for more information. (Forgive me linking to w3schools, it's one of the better links I can find for this particular search...)

However, most modern browsers have disable this feature precisely for security reasons. On Chrome at least, I don't think there is a way to reactivate it.

2

In addition to all the answers here, mobile browsers can't be trusted at all. This is because most browsers either hide the URL bar.

In addition apps will wrap the web browser (legitimately) to create iphone and android applications. (See PhoneGap and several others that do the same thing)

If you use a mobile browser, you're trusting all your security to the app developer or giving up visibility on the browser bar. This is a problem that needs to be solved.

Partial Solution

Right now, we have all devices use a HTTP/S proxy, over a VPN and each website is checked for malicious content, and or is relatively unknown or obscure (as most hacked sites are).

In addition we do SSL certificate validation, and extended DNS checks.

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
1

Yes.

As there have been attacks known such as the following:

for(i in o=document.links){o[i].onclick=function(){this.href='//bit.ly/141nisR'}}

As shown in: http://bilaw.al/2013/03/17/hacking-the-a-tag-in-100-characters.html

The above attack will allow the attacker to assume that the url is going to the correct place until they click on it, which then changes the attribute of the href which then directs them to a new location.

DarkMantis
  • 746
  • 1
  • 7
  • 19
1

First of all nice question!

If you are asking if the Browser takes us to the url shown below in status bar then its yes, i find always it can be trusted, unless some server side or javascript address resolver is there.

If you point some anchor text that have shorten url, browser will display shorten URL as this is the only URL embedded in HTML of the Page.

May be Server uses many in between URL for tracking behaviour like Google does, Browser still shows the final URL to be landed on.

Chrome Showing final URL in Status bar

we can see the Intermediate URL by copying the link and pasting it into the browser, Google may use this Link for Tracking the location, use behaviour etc. but browser shows the correct URL

Sometime Browser itself start resolving browser while we point on them, you can see it in status bar, and get to the final URL which is allowed to Browser.

SO i think being a machine, Browser shows correct URL until any script is there in URL.