Page MenuHomePhabricator

Consider roadblocking redirects from Phurl in some cases
Open, WishlistPublic

Description

This is a future feature that we don't really have use cases for right now, but I figure it is likely to come up eventually so I wanted to sketch out the basics of a discussion about it.

Currently, we redirect to Phurl targets without prompting the user. This is generally good and desirable, but can have some security implications.

In most cases, an attacker who wanted to do this could use another redirector (like bit.ly) to accomplish the same goal, but Phurl is different in at least a couple of specific ways:

  • human users (particularly less-technical users) may trust a phabricator.example.com domain more than a bit.ly domain; and
  • systems like OAuth (as in T9744) may trust a phabricator.example.com domain more than a bit.ly domain.

The most common way to mitigate these threats is to require the user to explicitly confirm a prompt in a big scary dialog that looks like this:

+================================+
| THIS PATHWAY LEADS TO MADNESS  |
+================================+
| If you continue, you will      |
| leave this site and instantly  |
| die.                           |
+--------------------------------+
| [ Stay Safe ] [ Die Horribly ] |
+--------------------------------+

We could do something similar. However, these dialog boxes are:

  • incredibly annoying for experienced users who understand how the internet works; and
  • not clearly helpful in saving inexperienced users from falling prey to phishing attacks.

I'd like to see solid use cases motivating these roadblocks as valuable before pursuing them.

If we did pursue them, we could maybe mitigate the cost to experienced users by doing something like this:

Link created by epriestley on Feb 3, 2016.

  • Always trust links from epriestley

But before pursuing any of this I'd like a good argument for doing it at all in any cases.