WebAIM - Web Accessibility In Mind

E-mail List Archives

Re: [WebAIM Forum] Hyperlink Accessibility vs. Security


From: Carly Gerard
Date: Sep 28, 2017 2:38PM

No worries Angela, I can try to explain better--although that's another good point to consider, the fact that URLs may be malicious in themselves. We know that hyperlinks need to have meaningful text to be accessible to AT, such as in the following example:

<a href="https://domain.com/link-to-pdf ">Open Example PDF</a>

In this case, a user would see the hyperlink as "Open Example PDF," and wouldn't see the actual URL. According to the email I received from our tech services, however, it sounds like they've heard to make the URL visible (and not use meaningful hyperlink text) for security purposes. Brief searches online have led me to phishing awareness articles that have also suggested this practice.

This leads me to wonder how to consider both accessibility and security in this matter, and how I should start that discussion.

I hope my explanation makes sense, and that maybe there's a reasonable solution.

From: WebAIM-Forum < <EMAIL REMOVED> > on behalf of Angela French < <EMAIL REMOVED> >
Sent: Thursday, September 28, 2017 12:11:09 PM
To: WebAIM Discussion List
Subject: Re: [WebAIM] [WebAIM Forum] Hyperlink Accessibility vs. Security

Perhaps I am misunderstanding you, but you can still have a bad link behind what looks like a good one . For example:

<a href="www.malicioussite.com">www.goodsite.com</a<http://www.malicioussite.com">www.goodsite.com</a>>

-----Original Message-----
From: WebAIM-Forum [mailto: <EMAIL REMOVED> ] On Behalf Of Carly Gerard
Sent: Thursday, September 28, 2017 11:13 AM
To: WEBAim Forum < <EMAIL REMOVED> >
Subject: [WebAIM] [WebAIM Forum] Hyperlink Accessibility vs. Security

Hello WebAIM,

I have gotten questions from fellow colleagues in tech services about embedding links in text (i.e. meaningful hyperlinks). They seem to understand the need for it as far as accessibility goes, but are also concerned about phishing attempts. According to our tech user services department, making URLs visible is a good practice in preventing phishing attempts both ways. Kaspersky did an article that verifies not opening embedded links<https://usa.kaspersky.com/resource-center/preemptive-safety/phishing-prevention-tips>, but I'm not sure when it was written.

Has anyone encountered security issues from using meaningful hyperlink text and not making the URL visible?

Thank you,


Carly Gerard | Web Accessibility Developer <EMAIL REMOVED> <mailto: <EMAIL REMOVED> >
Web Communication Technologies
University Relations & Marketing
How did I do? Please leave feedback.<https://wwu.az1.qualtrics.com/jfe/form/SV_br2NhzupyEtQTTT?Q_SDID=SD_87CoVYO6SFgylVz>