Double PSA (I guess)

[conuly]

So, bare URLs are potentially an accessibility issue. And I said that on reddit to somebody with this gargantuan link, like four lines long, and he replied that "back in the day" people had to post bare URLs "for safety".

Now, I don't know what day that was when most browsers didn't let you hover over link text to see where the URL leads, but you should absolutely be in the habit of doing that today because it's still pretty easy to spoof links in this way. Observe:

https://www.dreamwidth.org

If that link actually goes to Dreamwidth then I'll delete this post and you'll all win an imaginary gold star and so will that person, who also tried to tell me that viewing the destination of a link without clicking is not an option on all smartphones. A simple search suggests that, in fact, this is a standard feature of browsers, including mobile browsers, and I certainly hope so. If anybody out there is still relying on "oh, it's a bare URL" for safety then they are putting themselves at risk.

But I don't know, information doesn't spread out evenly, so maybe this will be helpful to somebody else.

Comments

[meowmensteen]

half the time when I see a link, I just hover and never bother to actually click. I use a script blocker, so I always have to figure out which ones to let run to make a site work enough for my uses. 9/10 times it isn't worth it. I'm so glad dreamwidth works okay with no scrips, and better if you just allow their own script. Livejournal used to be like that, but that was a long time ago.

[conuly]

Hovertext ftw.

[shadowkat]

The DW link went to Google.

[conuly]

Unsurprisingly, really.

[redbird]

"Back in the day," filenames had to be no more than six characters long, plus one of a small number of three-letter extensions.

"Back in the day," spam was "make money fast" or "millions of $location singles want to meet you," and my cell phone was a phone, not a pocket computer with a better camera than most amateurs would have dreamed of buying, which could also, among many other things, make phone calls.

[conuly]

> "Back in the day," filenames had to be no more than six characters long,

God, that sounds like a nightmare.

[fred_mouse]

The student computer club where I went to uni had usernames limited to three alphabet characters. To my understanding, they have preserved that, even though a) they don't need to and b) at some point they are going to run out.

[hashiveinu]

Eight characters! Eight! Does AUTOEXEC.BAT mean nothing to you??

[redbird]

You're right, of course.

And the username the Yale Computer Center assigned me back then, which I still use in some places, was seven characters.

[goljerp]

Yalevm.ycc.yale.edu for the win! Or at least I think that was the address; I'm pretty sure about the Yalevm part...

[ckd]

Eight on CP/M, MS-DOS, and derivatives. Six on TOPS-10 (which ran on the PDP-10 which was a 36-bit machine, so 6 6-bit bytes).

[chanter1944]

Yep, hidden/spoofed URLs like that are an accessibility issue for sure. So says she who uses a screenreader and is still stymied by the concept of hovering over a thing. I get the theory, but have no idea how it can be done via keystrokes rather than the magic mouse of working eyes.

[conuly]

You’d think there’d be a solution. Like being able to say “read URL of link whatever”?

[chanter1944]

Or a menu option when you right click. One that doesn't take you into a morass of impenetrable developer lingo. Yes, I tried.

[siliconshaman]

Way back when I got into the habit of hovering over links so a little pop-up would tell where the link went, it's been a feature in firefox long enough I don't know how long for.

9/10 it's ok, but that tenth time makes me glad I do it.

[conuly]

...has this not been a feature on every browser ever since at least the 1990s? I remember doing that back in middle school.

[siliconshaman]

Aye, that'd be about when. Like I said, way back.

[tcpip]

Screen-readers should read words not character-by-character.

URLs for link text protect against phishing, which is as common as mud these days.

[conuly]

URLs for link text protect against phishing

No, it doesn't. It absolutely does not do that. It's just too easy to spoof it - I used one extremely simple method in my post. Did you click on the link?

[tcpip]

You misunderstand, I am agreeing with you.

[agoodwinsmith]

Thank you. I hadn't solidified in my head that URLs could be tinkered with so completely.

I like using naked URLs because (a) I know how to do that, (b) I like looking at a link and getting the gist of the article from the words included in it, and (c) I was frightened in my pram by one of those "tinyurl" things and have never trusted them again.


I agree about those alphabet salad URLs that could go anywhere and be anything, and are just crazy self-important..

[conuly]

I know how to do that,

Well, most places that allow you to post URLs at all will allow you to use basic HTML or will even have some form of rich text editor. To make a link you use the a href tag.

And it does really seem to be an agreed-upon accessibility issue, unlike all caps which does seem to be somewhat overstated in the present day when it comes to screenreaders, anyway, though it's still just generally harder for people to read and should still be avoided for large passages.

[elf]

Link-text URLs don't prevent phishing/scams; you can make it say one thing and go to another spot. But the reader has the option of selecting the link text and copy-pasting that into their own new browser tab, bypassing any redirect or affiliate links or whatever might be attached to the original link. I am endlessly annoyed that I get links in emails that go through several filters before they get to their goal.

* https://04sup.mjt.lu/lnk/AU8AAFFoOX0AAAAEdsgAAA3HkRMAAAAAWf4AASAsABzi6gBnAt8-AMJwP72kQQyZz4eWc49M9AAahDw/1/hOgwX7tUe3etc5mwXDH1AA/aHR0cHM6Ly93d3cuc3VwZXJkdXBlcmJ1cmdlcnMuY29tL3N0b3JlLWxvY2F0b3Iv
* https://mandrillapp.com/track/click/30879197/www.creativefabrica.com?p=eyJzIjoicWh0Um9PZF9Pd1VSS3FHVlNfdHJyRWFVN3NnIiwidiI6MSwicCI6IntcInVcIjozMDg3OTE5NyxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5jcmVhdGl2ZWZhYnJpY2EuY29tXFxcL2RhaWx5LWdpZnRzXFxcLz91dG1fc291cmNlPW1hbmRyaWwmdXRtX21lZGl1bT1lbWFpbCZ1dG1fY2FtcGFpZ249ZGFpbHlnaWZ0c1wiLFwiaWRcIjpcImUzYmVmYWZkYTdjMzQ2NTE4OThhOGYwZjhmNDFlZmRiXCIsXCJ1cmxfaWRzXCI6W1wiODFjMGFmMTI3ZDBjYjhlZWRkNmI1MGRkZDU2NGY3ZjhlYzFmM2Y2MFwiXX0ifQ
* https://e.mailer.humblebundle.com/c2/102:66ff064da3c85d03610d9ea1:ot:56c3d867733462ca893f1e57:1/476900d9?jwtH=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9&jwtP=eyJpYXQiOjE3MjgyMjM2MDgsImNkIjoiLm1haWxlci5odW1ibGVidW5kbGUuY29tIiwiY2UiOjg2NDAwLCJ0ayI6Imh1bWJsZWJ1bmRsZWxpdmUiLCJtdGxJRCI6IjY2ZmYwZDZmMDg3N2NkMDczZDA4MDk3ZCIsImxpbmtVcmwiOiJodHRwczpcL1wvd3d3Lmh1bWJsZWJ1bmRsZS5jb21cL3N0b3JlXC9wcm9tb1wvd2FyaGFtbWVyLWRheS1zYWxlLTIwMjRcLz9tY0lEPTEwMjo2NmZmMDY0ZGEzYzg1ZDAzNjEwZDllYTE6b3Q6NTZjM2Q4Njc3MzM0NjJjYTg5M2YxZTU3OjEmbGlua0lEPXskbGlua0lEfSZ1dG1fc291cmNlPUh1bWJsZStCdW5kbGUrTmV3c2xldHRlciZ1dG1fbWVkaXVtPWVtYWlsJnV0bV9jYW1wYWlnbj0yNDEwMDZfaGlnaGxpZ2h0cyJ9&jwtS=5-GIfOiSuFlI41wTjZMUGOv3WIVGuP2voY2A6_T3o24

...at least I can be fairly sure that last one goes to HumbleBundle.

(They are safe links - one burger ad, one Creative Fabrica daily specials, and whatever sale HumbleBundle is running right now.)

I wish emails included the destination URLs. Of course, if they do that, they don't get to collect marketing data.

In your example - if I put "https://www.dreamwidth.org" in a browser tab, it goes where I want it to.

If you change the text to say "Dreamwidth" while leaving the link the same, I don't have the instructions to get to Dreamwidth. (Dreamwidth is pretty easy to find. A link to a specific AO3 story is not - if the text just says "Story Title," but the URL is wrong (or deliberately a scam), I don't have a way to get to that story.

Posting the bare URL isn't "this is safe" but "if you're worried this might not be safe, this is how you can check it out on your own."

I do agree that best practices are "make the text something usefully descriptive and make it a clickable link." I can understand the people who want to provide full URLs for paranoid readers... those can go at the end of the page in a cluster if they're that worried about it.

[conuly]

I can understand the people who want to provide full URLs for paranoid readers

I genuinely think that doing this ingrains bad habits into those readers. If they're paranoid then they need to develop the habit of using the hovertext option each and every time, which they won't do if people just post the bare URLs for them.

[elf]

Hovertext is not useful on the above links. That doesn't tell me what the actual destination is. (Marketing teams absolutely do not want to provide the destination URLs, and they also don't want to show the full URL with all the data-harvesting stuff attached.)

And if you get most of your links in emails and they look like those - you get out of the habit of checking hover text, because when you try it, mostly the link is incomprehensible so you have to just click it and hope it goes somewhere useful.

[conuly]

Yeah, nothing's gonna help with those monstrosities, but presumably paranoid people are not clicking those anyway. If they want the deal so much, they'll type the site name into the address bar and see if there's an obvious way to go from there.