Preventing malicious linking

(John ) #1

Continuing the discussion from How Coinbase Uses Discourse to Educate Customers and Improve SEO:

If I understand, that warning would be shown to anyone who clicks on a link posted by a TL0 user?

What if a TL0 users posts a link to one of our KB articles, or StackOverflow, or Wikipedia? I suppose we could whitelist domains, but it seems like all users are being punished instead of the new user being asked to gain trust.

If that was only shown until moderator review, it could work.

Link warning outside of forums
Optionally add noreferrer to external links
(Jeff Atwood) #2

No, it would be global for all TL0 user links outside the main domain. Turning it into a manual URL review queue would be a big jump in complexity and UI.

(John ) #3

Makes sense, it would just feel a bit silly to see a security warning on a wikipedia link.

(cpradio) #4

I agree. Almost would need the ability to turn this off, as for our given instance, links are typical, most go to CodePen, or JSFiddle, SQL Fiddle, etc. Sometimes to the user’s own site because they are trying to work out an issue of some sort. In no way would we want to display such a warning on all TL 0 links that link to external resources.

Even whitelisting would be extremely difficult for our community (unfortunately). So if it could be enabled by default, with the ability to turn it off, that’s be great!

(Rafael dos Santos Silva) #5

Enabling by default with a option to turn off. :thumbsup:

Btw, I suggest taking a look at how Steam chat does this, the wording of their message, because they are a big pishing target.

(Jeff Atwood) #6

Can you post a screenshot?

(Rafael dos Santos Silva) #7

Looks like there are two versions:

Normal Link:

Possible phishing: (maybe when the link and hostname are similar?)

(Jeff Atwood) #8

After thinking about it, I have very little enthusiasm for this feature. I view it as borderline useless, a lawyerly way of CYA without any real effect on user behavior. It’s just another meaningless warning that appears all the time on external links that users quickly learn to click past without thinking to get where they want to go.

What would work is a plugin that checks domains server-side against a known blacklist of dangerous domains and warns ONLY when attempting to visit known bad domains.

But then again, this is best done at the browser level not at the website level. So the protection would then be global.

(Evgeny) #9

This can be a very good function. Several users have already asked to do this and I was thinking about implementing it with the help of a plugin. If it’s in the core, then it’s very good.

(Jeff Atwood) #10

If @erlend_sh wants to add such a plugin to the :sparkles: ENCOURAGEMENT fund, that is up to him. Seems like an OK candidate, provided it only warns on known bad domains as stated above.

Global warn on every outgoing link is very, very bad as you are training users to ignore warnings. So bad.

(Evgeny) #11

In the social network Vkontakte, that’s exactly how it is implemented. Transitions to the bad domains open the window. The administration has the option to manually add any domain.


External link icons are pretty common practice these days though. Not a warning but an indicator…

(Jeff Atwood) #13

I don’t historically derive much value from that kind of indicator, though. Plus we already mini-onebox internal links, like this… Preventing malicious linking … so we already have a “different” version of links.

Plus full oneboxing!

(Nathaniel Suchy) #14

Why not rewrite to the HTTPS version? It’s astounding they don’t use an HTTP 301 redirect to HTTPS, but for trusted domains / domains that return a 301 upon Discourse reviewing the post and post content it could work.

(Jeff Atwood) #15

This has very little to do with https, it is about malicious domains in general. Which could be https, that part is not relevant.

(Sudaraka Jayathilaka) #16

Hi all,
I’m really happy to build a plugin for the above mentioned task. I am thinking of using Google Safe Browsing API. I tried some sites with the api. Its giving good results

I’m thinking of two ways of triggering this check. We can either check the url when it’s added and add a flag or else we can check when the url is clicked. But I think the first way is better. What u guys think ?

(Bhanu Sharma) #17

Adding a flag seems like a better idea as checking everytime someone clicks doesn’t seems very resource friendly.
though adding a warning modal to all the flagged links when clicked seems like a bonus.

(Sudaraka Jayathilaka) #18

My idea was the same. We can reduce the API hits that way. :slight_smile:

(Bhanu Sharma) #19

Exactly! and that way, everyone clicking it can be warned in advance that the link isn’t trusted.

(Jeff Atwood) #20

Only check the first time it is clicked and then save the result. It simply does not matter one way or the other when a link is never clicked.

But what about a year later, can a link become safe?