Insert link facilitates phishing attacks
Ashish Gupta
ashmew2 at gmail.com
Tue Nov 19 18:03:39 EST 2013
On 20 Nov 2013 03:03, "Ethan Blanton" <elb at pidgin.im> wrote:
>
> Mark Doliner spake unto us the following wisdom:
> > Yeah, there are definitely things we could do to protect our users
better.
> >
> > On Tue, Nov 19, 2013 at 12:20 PM, Ashish Gupta <ashmew2 at gmail.com>
wrote:
> > > The security check could then follow the WYSIWIG approach and always
open
> > > the link visible instead of whatever is contained in the URL.
> >
> > Or at least warn the user and ask which URL they want to open.
>
> This seems very reasonable to me. If we check the link text and it's
> also something that has a URL handler, and but differs from the
> target, warn the user. My only concern is that there might be a
> service that escapes entities in one but not the other, etc., causing
> false positives -- but we can always try it and find out.
>
> > We could also check links for malware and phishing using Google's Safe
> > Browsing API and warn the user.
>
> This I do not support, at least without an option that defaults to
> off. (Perhaps with a prompt to ask the user, before they click on
> their first link?) I'm not a fan of leaking the links sent to someone
> in an IM to Google or anyone else.
>
> Ethan
Especially with the rising concerns about privacy and how user data is used
by companies, I feel that using a proprietary safe search engine might not
be the best of choices.
Can there be an alternative to this ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/pipermail/devel/attachments/20131120/3175660c/attachment.html>
More information about the Devel
mailing list