Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Can I Rely on the URL Shown in the Browser’s Status Bar Being Accurate?

//
In a recent article, you said to only click links in email when you know the sender AND that they recently sent you a link. Your accompanying discussion and advice is excellent and very helpful. I have a further question for clarification. When I place my pointer over a link in an email or a web page, a URL shows up in the left end of the banner at the bottom of the screen. Can I be certain that this is the address that I will be sent to? In other words, can the bad guys disguise their actual undesirable URL with one that looks okay but still sends me somewhere else that I wouldn’t want to go?

Good question, but the answer is you can’t really trust the URL that appears in the status bar at the bottom of your email program or web browser.

There are several reasons why. Let’s talk about a couple of them.

Become a Patron of Ask Leo! and go ad-free!

The status line can be programmed

URL in the Status Line

The most important and worrisome reason is that the authors of the web page (or the email that you’re viewing) can actually code the link to display something different in the status line when you view it.

Normally, if the website authors do nothing, the default is that the URL displays in the status line. But with HTML, website authors can actually code the link to display anything – even a phrase.

For instance, if you’re hovering over a link on askleo.com, I could add code to the link so the status line would read, “Click_to_go_to_Ask_Leo!” No URL would be visible when you hovered over it. (Now, it might ignore that coding and still show the destination – depending on your browser and its approach to security.)

The only way to be able to determine if the URL in the status line is accurate is to look at the HTML source code for the web page. But that’s not something the average user should be expected to do.

Links can be shortened

Now, there is a scenario where a link takes you to a different place than what appears in the status bar. Some senders use link shortening services, such as TinyURL, Bit.ly, Google (called goo.gl), or others. These sites take a very long URL and shorten it. The short link redirects you to the location of the long URL. For example, if you go to the URL go.askleo.com/ms, you go to the Microsoft.com website.

In some cases, this is legitimate and relatively safe. If you click on go.askleo.com, it is askleo.com that had to set that up. If you trust askleo.com, it’s clear that you’re going someplace relatively safe.

Nonetheless, you should be concerned. Hackers sometimes use link shortening services to hide malicious links, but it is possible to preview the link before you open the page.

Be careful with links

Ultimately, this is why I say what I do about links so often. It all comes down to how much you trust the sender and how sure you are that it’s really from them. Is the email address one that you recognize? Does the sender’s name match? What if the sender’s account has been hacked and the hacker is sending messages with malicious links in them?

That’s how and why hackers crack into email accounts. The hacker’s success relies on the trust inherent in the relationship between the sender and their contacts. For this reason, you need to always determine the validity and safety of the link before you click on it.

If you click on it at all, that is.

13 comments on “Can I Rely on the URL Shown in the Browser’s Status Bar Being Accurate?”

    • Yep, browsers are getting wise. But as you’ve seen, at a minimum the status line can be altered or cleared, removing it as a way of double checking what you’re about to click on.

  1. The only way to be able to determine if the URL in the status line is accurate is to look at the HTML source code for the web page.

    An less-geeky alternative is to right-click the link and select “copy link address” (or whatever terminology your browser uses), and then paste it into the address bar. Then you know exactly the URL you will go to. It doesn’t help with URL shorteners, but it will always be the actual URL.

    • Actually, not true. There are techniques to have that appear to be one thing, and yet STILL have you sent somewhere else. (onclick actions take precedence, I do believe, over the href.)

  2. Leo: I think you misunderstood Ken’s suggestion.

    He is saying to copy the link into the address bar (I usually start a new tab for that) and then tell the browser to go to the address in the address bar. Since you are not clicking on the link in the source, OnClick or other programming techniques are not triggered.

    • Bill,
      In most cases copying the link destination, and then pasting it into a new tab will take you through the exact redirect process. That’s because the link destination is to the redirect program.

    • I agree that will take you to what is or might be shown in the status line. It may NOT take you to where you would go if you actually clicked the link. (The wording implied the later, but both scenarios are important.)

  3. I’m thinking the use of the free web service URLUncover @ http://urluncoverpro.com/ (thanks to Martin Brinkmann’s newsblog, GHacks.net for letting us in on this, BTW – I find that GHacks is ALMOST as good an information source as is AskLeo!) is likely the best solution @ this time; it provides a preview of what the link points to, as well as an indication as to whether the site’s been added to spamcop.net’s blacklist…

    • The irony is that the link you provided to ‘url uncover’ rated itself grey , whereas the link Leo provided was rated green.
      Not sure what interpretation one can put on this..?

  4. A business that I get Eails from each week mentioned in their Email that their Terms Of Service and Privacy Policy had changed.

    So I Read the TOS and PP and read they use Tracking.

    I read my Emails in Thunderbird and recently learned I could press
    CTRL U
    to view the Soruce of the Email.

    Sure enough at the bottom of the Source was a link to a Trackng Company that the Business now uses to see if their Email has been Read or not.

    CTRL U
    also works in Firefox to view the Source of a Web Page.

    Hope This Helps Someone.

  5. I feel that I am all up to date on the subject here, but a recent pair of undesirable if not malware emails came in. The question is: Is there any possible way that clicking an innocuous link that has behind it another address with about 600 characters of hex following the .com/? No final html, or anything else. I wouldn’t have clicked it anyway, but I got curious about what it could be used for. I’ll try sticking it on here. It may be unacceptable for it’s size. The original hyperlink is ‘401K Plan’, and this is where you go if you click: {URL removed} / {600 characters removed for safety}

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Typically that's off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.