Security Request: Fundamentally change the way non-mailto links work

[RealityRipple]

I ran into this concept a few months ago, and I think it's the greatest security advancement for E-Mail clients I've ever heard - Make hyperlinks copy-to-clipboard on click rather than immediately opening a browser and navigating to them.

[Moonchild]

Please don't do this. There's no security risk associated with opening clicked hyperlinks in the system browser and it's essential behaviour for pretty much all notification e-mails.

[athenian200]

Well, the only way I would be willing to implement this is if it were something that could be disabled by a preference, because I'm sure a lot of people like being able to follow links in e-mails.

Though honestly, I have to admit that if most e-mail clients started working this way, I would probably find webmail to be a better alternative, since it's trusted by default whereas an e-mail client has to jump through a lot of extra hoops.

[Bilbo47]

That security enhancement would be more relevant/useful in corporate environments where they still need to monitor web destinations and train people with "Do not click links in emails!1!". Preference would default to Off / traditional behavior, but managed environments could turn it On as needed to comply with corporate policy.

[back2themoon]

What would be the purpose of this, to better verify the link before opening it? Isn't it already visible on mouse hover?

Perhaps pasting directly on a browser has some security advantage over the email client passing the link?

[RealityRipple]

What would be the purpose of this, to better verify the link before opening it? Isn't it already visible on mouse hover?

Perhaps pasting directly on a browser has some security advantage over the email client passing the link?

Not to better verify - to FORCE verify. Pasting the link into your address bar draws your attention to it naturally in the process. And mouse hover is great, if you know about it and you're not using a touch screen. From personal experience with clients and family, though, many users forget that it exists at all, since it's always in the bottom corner where their eyes have no reason to look.

[Moonchild]

I would probably find webmail to be a better alternative, since it's trusted by default

That's a good point too. browsers will never force this kind of behaviour on hyperlinks.

That security enhancement would be more relevant/useful in corporate environments where they still need to monitor web destinations and train people with "Do not click links in emails!1!".

It's not a security enhancement, at all. Clicking links in e-mails in itself is also, contrary to the mantra repeated on the web, in itself not an insecure or dangerous operation. It's only what the user does once they land on a malicious website afterwards that is the problem, and that is no longer in the realm of Epyrus. Proper training in the use of the browser would be more important than telling people to not click links. Of course if the browser in use is not displaying domain identities properly (like some mainstream ones) then that would add even more issues.
In addition, I'd expect corporate environments to handle their endpoint security in different (better) ways.

Pasting the link into your address bar draws your attention to it naturally in the process.

Of course it will not help at all if you're given a long URL that will not show the domain name when pasting (because it's scrolled off to the left) and at that point the first check one would do to verify the domain would be after navigation, which would be exactly equal to what would be the case when just clicking a link and it opening in the browser directly. After all, what is put on the clipboard is not visible/directly viewable to the user. A smart length could even make a spoofed domain inside the URL be the first thing the eye trains on after pasting on common resolutions.
I just don't see how this routine would be more beneficial. One can train someone to manually open a browser and paste a URL, but not make a user aware of the status bar?...

[moonbat]

Corporate environments already scan and quarantine external emails as well as any external links not on a whitelist. Office 365 has had this feature for a while.

[BenFenner]

It's not a security enhancement, at all. Clicking links in e-mails in itself is also, contrary to the mantra repeated on the web, in itself not an insecure or dangerous operation. It's only what the user does once they land on a malicious website afterwards that is the problem

This is completely untrue, and quite surprising coming from you.

If a web site has CSRF or XSS vulnerabilities that the user is a member of and logged into, then that user following a link in an e-mail can certainly cause them trouble. It could be a bank balance transfer they didn't authorize, or any manner of other obnoxious outcome.

Or of course there are the much more traditional zero-click attacks and drive-by downloads that don't require any action from the user other than clicking on a hyperlink (in an e-mail perhaps).

https://www.wired.com/story/sneaky-zero ... den-menace
https://www.kaspersky.com/resource-cent ... y-download

I could go on, but I'm just going to assume you were high/sleep-deprived when you wrote the above and leave it at that.

[Potkeny]

I personally would probably use a feature like that, but I bet 99% of users "being forced" would just copy-paste automatically and never check the url, so it would only help with accidental clicks, and at that point it's like a popup asking if you want to follow the link or not.

[Bilbo47]

Train someone to manually open a browser and paste a URL, but not make a user aware of the status bar?

It's only partly about modifying behavior and making people browse smarter (which will never work) ... it's more about tracking what people do. You can monitor and log clicks but you can't track where people look and what they see (yet).

I would use a feature like that

I *already* use links this way, in clients that don't support an Open With extension, especially when the default browser and its current config don't properly support the site I'm opening.

users would just copy-paste automatically and never check the url ... and at that point it's like a popup asking if you want to follow the link

Agree. How about <AltKey>+Click to actually auto-open links, while bare <Click> only copies the link to the clipboard? This reserves auto-open for users who know what they're doing.

[back2themoon]

I can see the value of this feature, but the usability change -for the worse- is too great to become the default.

Not to better verify - to FORCE verify.

The problem with enforcement, for the average user at least and assuming this becomes default behaviour, is that after a while they'll soon get annoyed by the extra steps (open browser/address bar/paste/enter) and start moving past them as fast as possible, thus paying less or no attention to the link - defeating the purpose. Reminds me of websites that enforce a password change every 3 months. At some point this becomes so annoying you either stop using them, or create a new password as quickly as possible: a weaker password.

How about <AltKey>+Click to actually auto-open links, while bare <Click> only copies the link to the clipboard? This reserves auto-open for users who know what they're doing.

Sounds very good but again, as an optional feature.

[athenian200]

I have no idea what it would take to implement this, whether it could be done without modifying any platform code with conditionals, etc. But there are a couple of prefs you can flip that might help...

network.protocol-handler.warn-external.http
network.protocol-handler.warn-external.https

If you flip these over to true, Epyrus will prompt you with a dialog box asking whether you're sure you want to proceed, and which application you want to use to open the link. It's not precisely what is being asked for, I know, but it does involve the same idea of making a user think twice about whatever link they are following and giving them a chance to reconsider.

I suspect if you really wanted to, you could make Epyrus attempt to handle http and https links with something other than a web browser, so that clicking on links either does nothing at all or copies the links to the system clipboard. All without any actual modification to Epyrus itself.

[Moonchild]

but I'm just going to assume you were high/sleep-deprived when you wrote the above and leave it at that.

I was neither. Well maybe a bit sleep-deprived but I stand by what I wrote.

I repeat that clicking links in e-mail in itself is not an insecure or dangerous operation, and that the danger happens afterwards and invariably by the user's action.

If a web site has CSRF or XSS vulnerabilities that the user is a member of and logged into

Really, if that's the case then that would be squarely in the court of that website to take responsibility for. This isn't the task of a mail client. URLs by themselves are not malicious -- all they are are addresses. Throwing roadblocks in the user's way actually making use of hyperlinks will not help in that case either. Copy/pasting a URL that exploits a CSRF or XSS vulnerability will be equally potent as clicking the link and spawning a browser with that click would be.

Now, don't get me wrong, if users are having trouble employing best practices when browsing the web, then it's a good and simple practice to teach people to not click ANY links in ANY e-mails, but that doesn't actually address where the danger lies, and gives the wrong impression that "links are evil". They aren't.

In addition, how would this ever help anyone where the links in an e-mail are click-tracking domains (very common practice)? Those never show the target domain either (and while Epyrus shows a potential scam warning in that case, it's pretty much something everyone ignores these days because notification mails, newsletters etc. etc. all employ statistical trackers these days). How could a user know before navigation whether it's a statistical tracker or a malicious site?

Giving a warning that the user should verify they are on the website they intended to visit after opening the browser is a good practice if necessary for the audience using Epyrus. The biggest danger dealing with "bad" links in e-mail is phishing and social engineering attacks, and that is something easily verified after the browser is opened. The problem is that this becomes a case of "passing the buck" who should allegedly be responsible for the resulting PEBCAK.

As for zero-click downloads, I actually did file a BZ bug about abuse of the click() event scripting element clicks on page visits to automatically initiate downloads, but even with that situation in mind, what is downloaded is not automatically executed. Many websites unfortunately rely on click() for legitimate downloads because they want to have download timers etc. for ad revenue; with that comes the risk of drive-by downloads (but not executions). But even those should not be considered a mail client's responsibility.

[BenFenner]

I repeat that clicking links in e-mail in itself is not an insecure or dangerous operation, and that the danger happens afterwards and invariably by the user's action.

This is incorrect, as exemplified by my hypotheticals, and the links I provided.

I'm not saying the proposed feature is a good idea (it's not), but to say clinking hyperlinks (or clicking hyperlinks outside of a browser that auto-visit through your default browser) is always safe is just completely ignorant of the facts.

[moonbat]

but to say clinking hyperlinks (or clicking hyperlinks outside of a browser that auto-visit through your default browser) is always safe

That's not at all what he said. Maybe you're the one that's sleep deprived

[Kris_88]

I repeat that clicking links in e-mail in itself is not an insecure or dangerous operation, and that the danger happens afterwards and invariably by the user's action.

If an attacker sends emails containing a unique link for each email address, then once the link is clicked, the attacker can associate the email address with the user's IP address. Using IP, an attacker can find out the user's location and place of work or school (IP owner, organization domain, domain owner, etc.). This information becomes associated with the email address. And this is extremely undesirable.
It is better not to open any links in emails at all and the email client should not go online for any external content when displaying the email.

[moonbat]

then once the link is clicked

All of this and previous comments are a technological solution for what is essentially PEBKAC. And that's why it never works.

Off-topic:
I mean right here on this forum despite having posting instructions and a freaking template for reporting site errors, people still blithely ignore all of that and expect us to read their mind to find out what URL isn't working

In this case - the user has to use their brains and not click on links in unknown emails, or even known ones (confirm from the person who sent it whether they really did, or it was an automated virus spamming attachments to their contacts).

It is better not to open any links in emails at all and the email client should not go online for any external content when displaying the email.

That's not what happens unless the client is itself loading the external website in some embedded browser control (which hasn't been the case for years if ever). The client just hands off URL opening to whatever is set as the default browser. Testing with Interlink, if I click an email link while Interlink is offline, it stays offline and the link just opens in my default browser (Pale Moon). I imagine Epyrus behaves the same way. And both of these clients have inherited the long standing Mozilla Suite or Thunderbird feature of not loading external images and blocking javascript in emails by default.

[Kris_88]

All of this and previous comments are a technological solution for what is essentially PEBKAC. And that's why it never works.

You may laugh, but this is what I do with links in emails - I copy the link to the clipboard, and then paste it into a special browser (not the default one). Of course, only if I really need to open that link and those are very rare cases.
So I understand where the idea the OP is proposing came from...

In this case - the user has to use their brains and not click on links in unknown emails, or even known ones (confirm from the person who sent it whether they really did, or it was an automated virus spamming attachments to their contacts).

It seems to me more and more that too much responsibility is placed on the user to make decisions about trust or distrust. Despite the fact that the user has no real information. “Do you trust this program?”, “do you trust this site?”, “do you trust this link?” etc. And this is taking into account the fact that each license has a disclaimer. So on what basis can I trust?
In my opinion, there is some big ideological problem in operating systems that leads to placing unnecessary responsibility on the user...

[athenian200]

It seems to me more and more that too much responsibility is placed on the user to make decisions about trust or distrust. Despite the fact that the user has no real information. “Do you trust this program?”, “do you trust this site?”, “do you trust this link?” etc. And this is taking into account the fact that each license has a disclaimer. So on what basis can I trust?
In my opinion, there is some big ideological problem in operating systems that leads to placing unnecessary responsibility on the user...

Off-topic:
You are absolutely correct that it's a question of ideology, and the truth is that most major governments and trade associations are increasingly coming down on the side of things that says the user should not be given the responsibility, and decisions should be made for them by large corporations or the government about what should or shouldn't be trusted. Increasingly, that kind of policy (and ideology) leads to Epyrus simply not being trusted by a lot of services simply because I can't afford to buy trust by going through verification processes and partnerships that larger projects and corporations can afford to go through. Everything from code signatures to OAuth2 is a sign that the world is going in precisely the direction you suggest, of not trusting the user, not giving them the responsibility, and instead placing their safety in more capable hands. And that direction is pretty much the reason why one day there will be no Epyrus.

You're not the only one in the world that thinks this way, a lot of very smart people have come to the same conclusions as you. But I will say that Epyrus is primarily for people who don't think this way, for those who are upset that control is being taken from the user and decisions are being made for them. In other words, you've given me enough information about your philosophy on security to rather confidently say that Epyrus is not for you, and you probably shouldn't use it, because it really isn't headed in the direction you want, and will likely cease to exist one day because broader forces are pushing in the direction you suggest.