: 4582 | 108668 | 12353
|
: 9 : 9 : 0 |
I have written a lengthy explanation here http://www.proudprogrammer.no/web/ppblog.nsf/d6plinks/GANI-A6YFK5.
Very shortly; Prompt the user when he or she attempt to click on a mail link containing a redirect-URL. These URLs uses the at-sign to redirect to other sites. The format is like this:
http:// <user info> @ < the real url>
Traditionally this format has been used to transport username and password to the site, and thus logging into a basic authentication site. However, it is fully up to < the real url> what to do with the <user info>.
In the blog post I reference in the beginning, I show how the URL http://portal.ibmeventconnect.com can be transformed to this: http://portal.ibmeventconnect.com@3277338128
Looks much the same, right? However, it uses the redirect at-sign, and redirects the call to a Norwegian newspaper (www.vg.no) were I have converted www.vg.no's IP address to an integer. All valid URL-stuff, but easy to overlook.
I therefore hope IBM will allow a configurable dialog box to pop up when such links are clicked, to both warn - and possible show where the link would end up. |
1) Alex Matheson31 (09 Feb 2016)
Good Idea - its such a simple security feature its hard to believe it is not already in place.
Also are you suggesting that it only alerts the user they are being redirected, or it alerts the user to exactly what they are being redirected to?
Also are you suggesting that it only alerts the user they are being redirected, or it alerts the user to exactly what they are being redirected to?
2) Rohan Shah21 (09 Feb 2016)
Its a nice security feature. I browse a lot on websites online and the most thing i hate is being redirected to some other page without knowing where i am being redirected to.
3) Robert Ibsen Voith4084 (10 Feb 2016)
@Alex Matheson, the simplest would be to just warn the user about the redirect. It would be even better if the system also resolved the redirect for the user, much like the Maxa tools do (see the blog post for details).
4) Alex Matheson31 (10 Feb 2016)
@Robert Ibsen Voith, Interesting blog post. What if you create something similar to the Google Chrome app "Link Preview" which allows users to hover over a link and view a preview of the page.
Another idea would be a system similar to Avast Anti Virus where it will mark a link with a red badge if it redirects the user or seems shady.
My only criticism is that if it only lets the user know they are being redirected, many users will click anyway assuming it is something they are supposed to be redirected to. To make it more user friendly I think one of the ideas above would work nicely.
I will include a picture to help explain my thoughts.
Another idea would be a system similar to Avast Anti Virus where it will mark a link with a red badge if it redirects the user or seems shady.
My only criticism is that if it only lets the user know they are being redirected, many users will click anyway assuming it is something they are supposed to be redirected to. To make it more user friendly I think one of the ideas above would work nicely.
I will include a picture to help explain my thoughts.
5) Robert Ibsen Voith4084 (10 Feb 2016)
@Alex Matheson, yes, there are many ways to do stuff like you point out. I like the Chrome App-variant too. Since all URL protocols require a handler registered in the registry (one for https, one for http, one for notes etc), it means that Avast etc most perhaps inject themselves into that command chain. It could actually be quite simple to create an intermediate inspection tool, which analyzes the URL and relay it onto the original handler if OK.
Regarding the user allowing the link to go through anyway, I would like to see some policy protection around this. The most strict variant could block ANY redirect, and not allowing the link to go through.
Regarding the user allowing the link to go through anyway, I would like to see some policy protection around this. The most strict variant could block ANY redirect, and not allowing the link to go through.
6) Alex Matheson31 (11 Feb 2016)
@Robet Ibsen Voith, I think the best solution would be a combination of both an intermediate inspection tool as well as some policy protection. The combination would allow for less strict policies than blocking users from all redirects.
Basically all links that are not validated by the inspection tool would be blocked as per the protection policies.
Another possible addition could be flagging users each time they send a link that fails the validation process. This would allow users to know before they even open the email or links they should be cautious of the individual.
Basically all links that are not validated by the inspection tool would be blocked as per the protection policies.
Another possible addition could be flagging users each time they send a link that fails the validation process. This would allow users to know before they even open the email or links they should be cautious of the individual.
7) Rohan Shah21 (11 Feb 2016)
@Robet Ibsen Voith The idea of Link Preview by @Alex Matheson is great.
Even the Flagging idea where the users know beforehand about the website is brilliant.
Even the Flagging idea where the users know beforehand about the website is brilliant.
Welcome to IdeaJam™
You can run IdeaJam™ in your company. It's easy to install, setup and customize. Your employees, partners and customers will immediately see results.
Use IdeaJam to:
- Collect ideas from employees
- Solicit feedback and suggestions from employees and customers
- Run innovation contests and competitions
- Validate concepts
- Use the power of "crowd-sourcing" to rank ideas and allow the best ideas to rise to the top
IdeaJam™ works with:
- IBM Connections
- IBM Lotus Quickr
- Blogs and Wikis
- Websphere Portal
- Microsoft Sharepoint
- and other applications.
IdeaJam has an extensive set of widgets and API's that allow you to extend and integrate IdeaJam™ with other applications.
Learn more about IdeaJam >>
IdeaJam developed by
