| Mnkras | |
| Nov 2 2015, 11:35 PM |
| F937716: Screen Shot 2015-11-02 at 6.32.46 PM.png | |
| Nov 2 2015, 11:35 PM |
Having an interstitial page for Phurl links could be seen as a security improvement in certain situations, for example HackerOne has the following when clicking on a link:
It shows a kinda scary warning and the url where the user would end up.
This would probably be something that could be configured by the administrators (on/off)
This is probably geared towards more public installs, where short urls could be abused, (such as this one).
A possible example is some malicious user creates a short url to http://somesuperevil.site.
Short url is https://secure.phabricator.com/u/666.
They mask that url and do something like:
[[ https://secure.phabricator.com/u/666 | https://secure.phabricator.org/T12345 ]]
And post somewhere (be it on this install or elsewhere), Even users that have learned to check urls by mousing over them will see that it is for secure.phabricator.com, and most likely trust it.
eg:
Hey ppls on the interwebz, for some reason I can't see this task:
https://secure.phabricator.org/T12345
Whatever user clicks on that would be directed to the malicious site.
I understand this is kind of out there and theoretical, but I thought I would bring it up.
I think this is exceedingly mild/theoretical.
I think a better version of this attack would be to register phabrciator.com or phabrlcator.com, which we could only prevent by putting an interstitial on every outbound link. Maybe we'll do this someday, but I don't think this threat is very credible, and it's incredibly annoying in the 99.999% of false positive cases.