WebAIM - Web Accessibility In Mind

E-mail List Archives

Thread: [WebAIM Forum] Hyperlink Accessibility vs. Security

for

Number of posts in this thread: 8 (In chronological order)

From: Carly Gerard
Date: Thu, Sep 28 2017 12:12PM
Subject: [WebAIM Forum] Hyperlink Accessibility vs. Security
No previous message | Next message →

Hello WebAIM,


I have gotten questions from fellow colleagues in tech services about embedding links in text (i.e. meaningful hyperlinks). They seem to understand the need for it as far as accessibility goes, but are also concerned about phishing attempts. According to our tech user services department, making URLs visible is a good practice in preventing phishing attempts both ways. Kaspersky did an article that verifies not opening embedded links<https://usa.kaspersky.com/resource-center/preemptive-safety/phishing-prevention-tips>, but I'm not sure when it was written.


Has anyone encountered security issues from using meaningful hyperlink text and not making the URL visible?


Thank you,


Carly


Carly Gerard | Web Accessibility Developer
= EMAIL ADDRESS REMOVED = <mailto: = EMAIL ADDRESS REMOVED = >
Web Communication Technologies
University Relations & Marketing
How did I do? Please leave feedback.<https://wwu.az1.qualtrics.com/jfe/form/SV_br2NhzupyEtQTTT?Q_SDID=SD_87CoVYO6SFgylVz>

From: Angela French
Date: Thu, Sep 28 2017 1:11PM
Subject: Re: [WebAIM Forum] Hyperlink Accessibility vs. Security
← Previous message | Next message →

Perhaps I am misunderstanding you, but you can still have a bad link behind what looks like a good one . For example:

<a href="www.malicioussite.com">www.goodsite.com</a>

-----Original Message-----
From: WebAIM-Forum [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Carly Gerard
Sent: Thursday, September 28, 2017 11:13 AM
To: WEBAim Forum < = EMAIL ADDRESS REMOVED = >
Subject: [WebAIM] [WebAIM Forum] Hyperlink Accessibility vs. Security

Hello WebAIM,


I have gotten questions from fellow colleagues in tech services about embedding links in text (i.e. meaningful hyperlinks). They seem to understand the need for it as far as accessibility goes, but are also concerned about phishing attempts. According to our tech user services department, making URLs visible is a good practice in preventing phishing attempts both ways. Kaspersky did an article that verifies not opening embedded links<https://usa.kaspersky.com/resource-center/preemptive-safety/phishing-prevention-tips>, but I'm not sure when it was written.


Has anyone encountered security issues from using meaningful hyperlink text and not making the URL visible?


Thank you,


Carly


Carly Gerard | Web Accessibility Developer = EMAIL ADDRESS REMOVED = <mailto: = EMAIL ADDRESS REMOVED = >
Web Communication Technologies
University Relations & Marketing
How did I do? Please leave feedback.<https://wwu.az1.qualtrics.com/jfe/form/SV_br2NhzupyEtQTTT?Q_SDID=SD_87CoVYO6SFgylVz>

From: Carly Gerard
Date: Thu, Sep 28 2017 2:38PM
Subject: Re: [WebAIM Forum] Hyperlink Accessibility vs. Security
← Previous message | Next message →

No worries Angela, I can try to explain better--although that's another good point to consider, the fact that URLs may be malicious in themselves. We know that hyperlinks need to have meaningful text to be accessible to AT, such as in the following example:

<a href="https://domain.com/link-to-pdf ">Open Example PDF</a>

In this case, a user would see the hyperlink as "Open Example PDF," and wouldn't see the actual URL. According to the email I received from our tech services, however, it sounds like they've heard to make the URL visible (and not use meaningful hyperlink text) for security purposes. Brief searches online have led me to phishing awareness articles that have also suggested this practice.


This leads me to wonder how to consider both accessibility and security in this matter, and how I should start that discussion.


I hope my explanation makes sense, and that maybe there's a reasonable solution.

From: WebAIM-Forum < = EMAIL ADDRESS REMOVED = > on behalf of Angela French < = EMAIL ADDRESS REMOVED = >
Sent: Thursday, September 28, 2017 12:11:09 PM
To: WebAIM Discussion List
Subject: Re: [WebAIM] [WebAIM Forum] Hyperlink Accessibility vs. Security

Perhaps I am misunderstanding you, but you can still have a bad link behind what looks like a good one . For example:

<a href="www.malicioussite.com">www.goodsite.com</a<http://www.malicioussite.com">www.goodsite.com</a>>

-----Original Message-----
From: WebAIM-Forum [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Carly Gerard
Sent: Thursday, September 28, 2017 11:13 AM
To: WEBAim Forum < = EMAIL ADDRESS REMOVED = >
Subject: [WebAIM] [WebAIM Forum] Hyperlink Accessibility vs. Security

Hello WebAIM,


I have gotten questions from fellow colleagues in tech services about embedding links in text (i.e. meaningful hyperlinks). They seem to understand the need for it as far as accessibility goes, but are also concerned about phishing attempts. According to our tech user services department, making URLs visible is a good practice in preventing phishing attempts both ways. Kaspersky did an article that verifies not opening embedded links<https://usa.kaspersky.com/resource-center/preemptive-safety/phishing-prevention-tips>, but I'm not sure when it was written.


Has anyone encountered security issues from using meaningful hyperlink text and not making the URL visible?


Thank you,


Carly


Carly Gerard | Web Accessibility Developer = EMAIL ADDRESS REMOVED = <mailto: = EMAIL ADDRESS REMOVED = >
Web Communication Technologies
University Relations & Marketing
How did I do? Please leave feedback.<https://wwu.az1.qualtrics.com/jfe/form/SV_br2NhzupyEtQTTT?Q_SDID=SD_87CoVYO6SFgylVz>

From: Patrick H. Lauke
Date: Thu, Sep 28 2017 3:35PM
Subject: Re: [WebAIM Forum] Hyperlink Accessibility vs. Security
← Previous message | Next message →

On 28/09/2017 21:38, Carly Gerard wrote:
>
> No worries Angela, I can try to explain better--although that's another good point to consider, the fact that URLs may be malicious in themselves. We know that hyperlinks need to have meaningful text to be accessible to AT, such as in the following example:
>
> <a href="https://domain.com/link-to-pdf ">Open Example PDF</a>
>
> In this case, a user would see the hyperlink as "Open Example PDF," and wouldn't see the actual URL. According to the email I received from our tech services, however, it sounds like they've heard to make the URL visible (and not use meaningful hyperlink text) for security purposes. Brief searches online have led me to phishing awareness articles that have also suggested this practice.
>
>
> This leads me to wonder how to consider both accessibility and security in this matter, and how I should start that discussion.
>
>
> I hope my explanation makes sense, and that maybe there's a reasonable solution.

User agents offer mechanisms to check where a link goes to. In most
browsers, focus a link with the keyboard / hover over it with the mouse,
and you'll see an indication of the URL it goes to in the bottom toolbar
of the browser, for instance.

As it's trivially easy to make a link *appear* to point one place while
actually pointing somewhere else (as Angela said), users should *never*
rely on what they see in clear text (be it human friendly text or an
apparent URL); they should use whatever their user agent offers; lastly,
once they land somewhere, they should always look at their browser's
address bar to confirm they're indeed where they expected to be. The
onus is on the user to do this. You as a site owner/maintainer are
obviously in control of where your links go. And saying that links
should just have their URLs visible will provide nothing but a false
sense of security to users (as, again, the visible text can easily
differ from the actual target of the link).

There is no reasonable solution other than users being aware of where
links go / checking once they got there. Nothing for content authors to do.

P
--
Patrick H. Lauke

www.splintered.co.uk | https://github.com/patrickhlauke
http://flickr.com/photos/redux/ | http://redux.deviantart.com
twitter: @patrick_h_lauke | skype: patrick_h_lauke

From: Angela French
Date: Thu, Sep 28 2017 3:37PM
Subject: Re: [WebAIM Forum] Hyperlink Accessibility vs. Security
← Previous message | Next message →

OH, you mean to just spell out a URL and not make it a hyperlink at all? Ugh.

-----Original Message-----
From: WebAIM-Forum [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Carly Gerard
Sent: Thursday, September 28, 2017 1:39 PM
To: WebAIM Discussion List < = EMAIL ADDRESS REMOVED = >
Subject: Re: [WebAIM] [WebAIM Forum] Hyperlink Accessibility vs. Security


No worries Angela, I can try to explain better--although that's another good point to consider, the fact that URLs may be malicious in themselves. We know that hyperlinks need to have meaningful text to be accessible to AT, such as in the following example:

<a href="https://domain.com/link-to-pdf ">Open Example PDF</a>

In this case, a user would see the hyperlink as "Open Example PDF," and wouldn't see the actual URL. According to the email I received from our tech services, however, it sounds like they've heard to make the URL visible (and not use meaningful hyperlink text) for security purposes. Brief searches online have led me to phishing awareness articles that have also suggested this practice.


This leads me to wonder how to consider both accessibility and security in this matter, and how I should start that discussion.


I hope my explanation makes sense, and that maybe there's a reasonable solution.

From: WebAIM-Forum < = EMAIL ADDRESS REMOVED = > on behalf of Angela French < = EMAIL ADDRESS REMOVED = >
Sent: Thursday, September 28, 2017 12:11:09 PM
To: WebAIM Discussion List
Subject: Re: [WebAIM] [WebAIM Forum] Hyperlink Accessibility vs. Security

Perhaps I am misunderstanding you, but you can still have a bad link behind what looks like a good one . For example:

<a href="www.malicioussite.com">www.goodsite.com</a<http://www.malicioussite.com">www.goodsite.com</a>>

-----Original Message-----
From: WebAIM-Forum [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Carly Gerard
Sent: Thursday, September 28, 2017 11:13 AM
To: WEBAim Forum < = EMAIL ADDRESS REMOVED = >
Subject: [WebAIM] [WebAIM Forum] Hyperlink Accessibility vs. Security

Hello WebAIM,


I have gotten questions from fellow colleagues in tech services about embedding links in text (i.e. meaningful hyperlinks). They seem to understand the need for it as far as accessibility goes, but are also concerned about phishing attempts. According to our tech user services department, making URLs visible is a good practice in preventing phishing attempts both ways. Kaspersky did an article that verifies not opening embedded links<https://usa.kaspersky.com/resource-center/preemptive-safety/phishing-prevention-tips>, but I'm not sure when it was written.


Has anyone encountered security issues from using meaningful hyperlink text and not making the URL visible?


Thank you,


Carly


Carly Gerard | Web Accessibility Developer = EMAIL ADDRESS REMOVED = <mailto: = EMAIL ADDRESS REMOVED = >
Web Communication Technologies
University Relations & Marketing
How did I do? Please leave feedback.<https://wwu.az1.qualtrics.com/jfe/form/SV_br2NhzupyEtQTTT?Q_SDID=SD_87CoVYO6SFgylVz>

From: Carly Gerard
Date: Thu, Sep 28 2017 3:42PM
Subject: Re: [WebAIM Forum] Hyperlink Accessibility vs. Security
← Previous message | Next message →

Pretty much, basically the hyperlink is the URL and not meaningful at all. From my end a little bit annoying! Am curious if anyone has encountered something like that before, or suggestions to advocate the importance of accessibility without dismissing security concerns.

From: WebAIM-Forum < = EMAIL ADDRESS REMOVED = > on behalf of Angela French < = EMAIL ADDRESS REMOVED = >
Sent: Thursday, September 28, 2017 2:37:51 PM
To: WebAIM Discussion List
Subject: Re: [WebAIM] [WebAIM Forum] Hyperlink Accessibility vs. Security

OH, you mean to just spell out a URL and not make it a hyperlink at all? Ugh.

-----Original Message-----
From: WebAIM-Forum [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Carly Gerard
Sent: Thursday, September 28, 2017 1:39 PM
To: WebAIM Discussion List < = EMAIL ADDRESS REMOVED = >
Subject: Re: [WebAIM] [WebAIM Forum] Hyperlink Accessibility vs. Security


No worries Angela, I can try to explain better--although that's another good point to consider, the fact that URLs may be malicious in themselves. We know that hyperlinks need to have meaningful text to be accessible to AT, such as in the following example:

<a href="https://domain.com/link-to-pdf ">Open Example PDF</a>

In this case, a user would see the hyperlink as "Open Example PDF," and wouldn't see the actual URL. According to the email I received from our tech services, however, it sounds like they've heard to make the URL visible (and not use meaningful hyperlink text) for security purposes. Brief searches online have led me to phishing awareness articles that have also suggested this practice.


This leads me to wonder how to consider both accessibility and security in this matter, and how I should start that discussion.


I hope my explanation makes sense, and that maybe there's a reasonable solution.

From: WebAIM-Forum < = EMAIL ADDRESS REMOVED = > on behalf of Angela French < = EMAIL ADDRESS REMOVED = >
Sent: Thursday, September 28, 2017 12:11:09 PM
To: WebAIM Discussion List
Subject: Re: [WebAIM] [WebAIM Forum] Hyperlink Accessibility vs. Security

Perhaps I am misunderstanding you, but you can still have a bad link behind what looks like a good one . For example:

<a href="www.malicioussite.com">www.goodsite.com</a<http://www.malicioussite.com">www.goodsite.com</a<http://www.malicioussite.com">www.goodsite.com</a<http://www.malicioussite.com">www.goodsite.com</a>>>

-----Original Message-----
From: WebAIM-Forum [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Carly Gerard
Sent: Thursday, September 28, 2017 11:13 AM
To: WEBAim Forum < = EMAIL ADDRESS REMOVED = >
Subject: [WebAIM] [WebAIM Forum] Hyperlink Accessibility vs. Security

Hello WebAIM,


I have gotten questions from fellow colleagues in tech services about embedding links in text (i.e. meaningful hyperlinks). They seem to understand the need for it as far as accessibility goes, but are also concerned about phishing attempts. According to our tech user services department, making URLs visible is a good practice in preventing phishing attempts both ways. Kaspersky did an article that verifies not opening embedded links<https://usa.kaspersky.com/resource-center/preemptive-safety/phishing-prevention-tips>, but I'm not sure when it was written.


Has anyone encountered security issues from using meaningful hyperlink text and not making the URL visible?


Thank you,


Carly


Carly Gerard | Web Accessibility Developer = EMAIL ADDRESS REMOVED = <mailto: = EMAIL ADDRESS REMOVED = >
Web Communication Technologies
University Relations & Marketing
How did I do? Please leave feedback.<https://wwu.az1.qualtrics.com/jfe/form/SV_br2NhzupyEtQTTT?Q_SDID=SD_87CoVYO6SFgylVz>

From: Patrick H. Lauke
Date: Thu, Sep 28 2017 3:50PM
Subject: Re: [WebAIM Forum] Hyperlink Accessibility vs. Security
← Previous message | Next message →

On 28/09/2017 22:42, Carly Gerard wrote:
> Pretty much, basically the hyperlink is the URL and not meaningful at all. From my end a little bit annoying! Am curious if anyone has encountered something like that before, or suggestions to advocate the importance of accessibility without dismissing security concerns.

It just results in fake security, the illusion of security, and in fact
teaches users to trust even more that when they see a URL as link text
that the link goes there (when in fact it can go anywhere). It's
counter-productive and harmful.

P
--
Patrick H. Lauke

www.splintered.co.uk | https://github.com/patrickhlauke
http://flickr.com/photos/redux/ | http://redux.deviantart.com
twitter: @patrick_h_lauke | skype: patrick_h_lauke

From: Jonathan Avila
Date: Thu, Sep 28 2017 3:52PM
Subject: Re: [WebAIM Forum] Hyperlink Accessibility vs. Security
← Previous message | No next message

> Pretty much, basically the hyperlink is the URL and not meaningful at all

From a WCAG perspective if the link text is ambiguous to all users it's not a violation of WCAG 2 A/AA. There is more of an impact to users with disabilities than users without disabilities but it would pass.

Jonathan

Jonathan Avila
Chief Accessibility Officer
Level Access, inc. (formerly SSB BART Group, inc.)
(703) 637-8957
= EMAIL ADDRESS REMOVED =
Visit us online: Website | Twitter | Facebook | LinkedIn | Blog
Looking to boost your accessibility knowledge? Check out our free webinars!

The information contained in this transmission may be attorney privileged and/or confidential information intended for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this communication is strictly prohibited.

-----Original Message-----
From: WebAIM-Forum [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Carly Gerard
Sent: Thursday, September 28, 2017 5:43 PM
To: WebAIM Discussion List < = EMAIL ADDRESS REMOVED = >
Subject: Re: [WebAIM] [WebAIM Forum] Hyperlink Accessibility vs. Security

Pretty much, basically the hyperlink is the URL and not meaningful at all. From my end a little bit annoying! Am curious if anyone has encountered something like that before, or suggestions to advocate the importance of accessibility without dismissing security concerns.

From: WebAIM-Forum < = EMAIL ADDRESS REMOVED = > on behalf of Angela French < = EMAIL ADDRESS REMOVED = >
Sent: Thursday, September 28, 2017 2:37:51 PM
To: WebAIM Discussion List
Subject: Re: [WebAIM] [WebAIM Forum] Hyperlink Accessibility vs. Security

OH, you mean to just spell out a URL and not make it a hyperlink at all? Ugh.

-----Original Message-----
From: WebAIM-Forum [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Carly Gerard
Sent: Thursday, September 28, 2017 1:39 PM
To: WebAIM Discussion List < = EMAIL ADDRESS REMOVED = >
Subject: Re: [WebAIM] [WebAIM Forum] Hyperlink Accessibility vs. Security


No worries Angela, I can try to explain better--although that's another good point to consider, the fact that URLs may be malicious in themselves. We know that hyperlinks need to have meaningful text to be accessible to AT, such as in the following example:

<a href="https://domain.com/link-to-pdf ">Open Example PDF</a>

In this case, a user would see the hyperlink as "Open Example PDF," and wouldn't see the actual URL. According to the email I received from our tech services, however, it sounds like they've heard to make the URL visible (and not use meaningful hyperlink text) for security purposes. Brief searches online have led me to phishing awareness articles that have also suggested this practice.


This leads me to wonder how to consider both accessibility and security in this matter, and how I should start that discussion.


I hope my explanation makes sense, and that maybe there's a reasonable solution.

From: WebAIM-Forum < = EMAIL ADDRESS REMOVED = > on behalf of Angela French < = EMAIL ADDRESS REMOVED = >
Sent: Thursday, September 28, 2017 12:11:09 PM
To: WebAIM Discussion List
Subject: Re: [WebAIM] [WebAIM Forum] Hyperlink Accessibility vs. Security

Perhaps I am misunderstanding you, but you can still have a bad link behind what looks like a good one . For example:

<a href="www.malicioussite.com">www.goodsite.com</a<http://www.malicioussite.com">www.goodsite.com</a<http://www.malicioussite.com">www.goodsite.com</a<http://www.malicioussite.com">www.goodsite.com</a>>>

-----Original Message-----
From: WebAIM-Forum [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Carly Gerard
Sent: Thursday, September 28, 2017 11:13 AM
To: WEBAim Forum < = EMAIL ADDRESS REMOVED = >
Subject: [WebAIM] [WebAIM Forum] Hyperlink Accessibility vs. Security

Hello WebAIM,


I have gotten questions from fellow colleagues in tech services about embedding links in text (i.e. meaningful hyperlinks). They seem to understand the need for it as far as accessibility goes, but are also concerned about phishing attempts. According to our tech user services department, making URLs visible is a good practice in preventing phishing attempts both ways. Kaspersky did an article that verifies not opening embedded links<https://usa.kaspersky.com/resource-center/preemptive-safety/phishing-prevention-tips>, but I'm not sure when it was written.


Has anyone encountered security issues from using meaningful hyperlink text and not making the URL visible?


Thank you,


Carly


Carly Gerard | Web Accessibility Developer = EMAIL ADDRESS REMOVED = <mailto: = EMAIL ADDRESS REMOVED = >
Web Communication Technologies
University Relations & Marketing
How did I do? Please leave feedback.<https://wwu.az1.qualtrics.com/jfe/form/SV_br2NhzupyEtQTTT?Q_SDID=SD_87CoVYO6SFgylVz>