Good question, but the answer is you can’t really trust the URL that appears in the status bar at the bottom of your email program or web browser.
There are several reasons why. Let’s talk about a couple of them.
Become a Patron of Ask Leo! and go ad-free!
The status line can be programmed
The most important and worrisome reason is that the authors of the web page (or the email that you’re viewing) can actually code the link to display something different in the status line when you view it.
Normally, if the website authors do nothing, the default is that the URL displays in the status line. But with HTML, website authors can actually code the link to display anything – even a phrase.
For instance, if you’re hovering over a link on askleo.com, I could add code to the link so the status line would read, “Click_to_go_to_Ask_Leo!” No URL would be visible when you hovered over it. (Now, it might ignore that coding and still show the destination – depending on your browser and its approach to security.)
The only way to be able to determine if the URL in the status line is accurate is to look at the HTML source code for the web page. But that’s not something the average user should be expected to do.
Links can be shortened
Now, there is a scenario where a link takes you to a different place than what appears in the status bar. Some senders use link shortening services, such as TinyURL, Bit.ly, Google (called goo.gl), or others. These sites take a very long URL and shorten it. The short link redirects you to the location of the long URL. For example, if you go to the URL go.askleo.com/ms, you go to the Microsoft.com website.
In some cases, this is legitimate and relatively safe. If you click on go.askleo.com, it is askleo.com that had to set that up. If you trust askleo.com, it’s clear that you’re going someplace relatively safe.
Nonetheless, you should be concerned. Hackers sometimes use link shortening services to hide malicious links, but it is possible to preview the link before you open the page.
Be careful with links
Ultimately, this is why I say what I do about links so often. It all comes down to how much you trust the sender and how sure you are that it’s really from them. Is the email address one that you recognize? Does the sender’s name match? What if the sender’s account has been hacked and the hacker is sending messages with malicious links in them?
That’s how and why hackers crack into email accounts. The hacker’s success relies on the trust inherent in the relationship between the sender and their contacts. For this reason, you need to always determine the validity and safety of the link before you click on it.
If you click on it at all, that is.
In my Firefox browser status bar, I got
http://askleo.com/can-i-rely-on-the-url-shown-in-the-browsers-status-bar-being-accurate/.:%20Click_to_go_to_Ask_Leo!
Both Google Chrome IE displayed nothing in the status bar for that link but the link in all cases worked.
Perhaps the browser designers are getting wise to the security implications. I prefer the Firefox rendering because nothing in the status bar isn’t enough of a warning.
Yep, browsers are getting wise. But as you’ve seen, at a minimum the status line can be altered or cleared, removing it as a way of double checking what you’re about to click on.
An less-geeky alternative is to right-click the link and select “copy link address” (or whatever terminology your browser uses), and then paste it into the address bar. Then you know exactly the URL you will go to. It doesn’t help with URL shorteners, but it will always be the actual URL.
Actually, not true. There are techniques to have that appear to be one thing, and yet STILL have you sent somewhere else. (onclick actions take precedence, I do believe, over the href.)
Leo: I think you misunderstood Ken’s suggestion.
He is saying to copy the link into the address bar (I usually start a new tab for that) and then tell the browser to go to the address in the address bar. Since you are not clicking on the link in the source, OnClick or other programming techniques are not triggered.
Bill,
In most cases copying the link destination, and then pasting it into a new tab will take you through the exact redirect process. That’s because the link destination is to the redirect program.
I agree that will take you to what is or might be shown in the status line. It may NOT take you to where you would go if you actually clicked the link. (The wording implied the later, but both scenarios are important.)
I’m thinking the use of the free web service URLUncover @ http://urluncoverpro.com/ (thanks to Martin Brinkmann’s newsblog, GHacks.net for letting us in on this, BTW – I find that GHacks is ALMOST as good an information source as is AskLeo!) is likely the best solution @ this time; it provides a preview of what the link points to, as well as an indication as to whether the site’s been added to spamcop.net’s blacklist…
The irony is that the link you provided to ‘url uncover’ rated itself grey , whereas the link Leo provided was rated green.
Not sure what interpretation one can put on this..?
A business that I get Eails from each week mentioned in their Email that their Terms Of Service and Privacy Policy had changed.
So I Read the TOS and PP and read they use Tracking.
I read my Emails in Thunderbird and recently learned I could press
CTRL U
to view the Soruce of the Email.
Sure enough at the bottom of the Source was a link to a Trackng Company that the Business now uses to see if their Email has been Read or not.
CTRL U
also works in Firefox to view the Source of a Web Page.
Hope This Helps Someone.
I feel that I am all up to date on the subject here, but a recent pair of undesirable if not malware emails came in. The question is: Is there any possible way that clicking an innocuous link that has behind it another address with about 600 characters of hex following the .com/? No final html, or anything else. I wouldn’t have clicked it anyway, but I got curious about what it could be used for. I’ll try sticking it on here. It may be unacceptable for it’s size. The original hyperlink is ‘401K Plan’, and this is where you go if you click: {URL removed} / {600 characters removed for safety}
There’s no way to know right now. It could well be malicious – it could be completely benign. Even though it’s not a “short” URL, this article may apply: http://askleo.com/is-there-a-way-to-know-where-a-url-shortened-url-is-going-to-take-me/ – based on the domain name alone I’d be very suspicious.
Sorry. On the previous, the question is: Is there a way it can hurt you just by clicking?