Is the Web browser status bar always trustable?

Question

If I bring the mouse pointer to a link, but not click on it, I can see in the left/bottom corner that it displays the URL of it.

Q: Could this URL (in the left/bottom) be different from the one that my Web browser will go? (don't count that server side can be redirected with an eg.: HTTP 302)

Question is just because of knowing that telling the users to check the left/bottom of the browser before clicking on the link is a good/usable thing regarding security.

Please provide authentic links/descriptions too :)

PS: maybe if JavaScript is enabled, it can be done that the user will go to another website, different from the one displayed in the left/bottom?

UPDATE: Does disabling JavaScript with ex.: NoScript solves this problem 100%? (opened a bounty for this part of the question) - because it looks like it could be prevented with NoScript.

Answer 1

Could this URL (in the left/bottom) be different from the one that my webbrowser will go?

Yes.

• for a simple link click, the whole click could be captured by JavaScript and made to do something else, including navigating to a different page

• the link could be substituted onmousedown (this is common behaviour for some link-click tracking scripts)

• for browsers like Chrome where the address pop-up appears inside the page area, that pop-up could be faked with JavaScript and page elements. In general you can only trust browser UI that appears in the chrome border, outside of page control.

Consequently the address pop-up is a convenience feature but offers no security function.

Answer 2

Yes, the URL a link will eventually take you to can be different than that shown on the status bar.

One of the possible ways to do this is to listen to the mousedown DOM event of the link element and change the link inside the event.

To observe this you can go to Google search, open the developer console and click on a result link.

When you hover your cursor over the link:

When you hold down the mouse button, the link is changed, but the status bar doesn't change in Chrome:

When you move the mouse a little bit, the status bar in Chrome is updated:

(Actually I think someone should file a bug report on http://crbug.com.)

Answer 3

No, you can't trust it.

The most prolific example of this? Take a look at Google search results, for example. Mouse over a result and you get one link in the status bar, right click and copy the link to your clipboard and you'll see you have a completely different one.

The way Google do it is super smart (and super simple). When the HTML comes back, you have the correct URL in the HTML link's href, but they alter it as soon as your browser registers that your browser picks up a "mouse down" event on the link

Answer 4

Question is just because of knowing that telling the users to check the left/bottom of the browser before clicking on the link is a good/usable thing regarding security.

My non technical answer (unlike other answers which focus on the power of JS and CSS):

I think this idea of checking is absolutely not realistic (bordering on crazy) and as such nefarious for real-world, realistic computer security.

• Even if you disable changing the status bar in JS (why would a Website really need to alter the status bar anyway?),
• even if you disable JS (which breaks many nice Web features) so that the destination of a link cannot be changed with JS as shown in other answers,
• even if you go as far as disabling automatic HTTP redirects (which would be very annoying on some Websites)...

the idea of carefully checking the target of every single link is a perfect example of "security as the enemy of usability" thinking: it is not only impractical, it is so impractical that users would not only never apply this principle more a few minutes, they might even be led to believe that secure handling of a computer is just too difficult and not worth it.

When you are giving security advice, you are not just stating a recommendation appropriate in a particular context, you are sending a message about computer security in general: security is easy, security is not easy but attainable, or security is just too difficult.

If you give an advice which is clearly too difficult to seriously apply every single time, every single day, you are giving the impression that computer security is all about perfectly following awfully stringent requirements, something mere mortals cannot really do.

If you ask way too much, people simply give up. And "security experts" waste their credibility.

This is why security recommendations cannot just be given by semi-gods "security experts" offering their "science" to mere mortals; security recommendations must be tested in the real world; implementation of recommendations must be observed, measured. When experience shows the recommendation is not followed, it must be changed to become useful in the real world.

telling the users to check the left/bottom of the browser

Another issue is, even if you could find some users willing to "check" the target of every single link, these users would not even know how to do the "check", because they almost never have any idea where a link is supposed to point to.

The recommendation is not just way too hard to practice everyday, it is confusing.

Answer 5

You used to be able to do this by setting the window.status property using Javascript. See this link for more information. (Forgive me linking to w3schools, it's one of the better links I can find for this particular search...)

However, most modern browsers have disable this feature precisely for security reasons. On Chrome at least, I don't think there is a way to reactivate it.

Answer 6

In addition to all the answers here, mobile browsers can't be trusted at all. This is because most browsers either hide the URL bar.

In addition apps will wrap the web browser (legitimately) to create iphone and android applications. (See PhoneGap and several others that do the same thing)

If you use a mobile browser, you're trusting all your security to the app developer or giving up visibility on the browser bar. This is a problem that needs to be solved.

Partial Solution

Right now, we have all devices use a HTTP/S proxy, over a VPN and each website is checked for malicious content, and or is relatively unknown or obscure (as most hacked sites are).

In addition we do SSL certificate validation, and extended DNS checks.

Answer 7

Yes.

As there have been attacks known such as the following:

for(i in o=document.links){o[i].onclick=function(){this.href='//bit.ly/141nisR'}}

As shown in: http://bilaw.al/2013/03/17/hacking-the-a-tag-in-100-characters.html

The above attack will allow the attacker to assume that the url is going to the correct place until they click on it, which then changes the attribute of the href which then directs them to a new location.

Answer 8

First of all nice question!

If you are asking if the Browser takes us to the url shown below in status bar then its yes, i find always it can be trusted, unless some server side or javascript address resolver is there.

If you point some anchor text that have shorten url, browser will display shorten URL as this is the only URL embedded in HTML of the Page.

May be Server uses many in between URL for tracking behaviour like Google does, Browser still shows the final URL to be landed on.

we can see the Intermediate URL by copying the link and pasting it into the browser, Google may use this Link for Tracking the location, use behaviour etc. but browser shows the correct URL

Sometime Browser itself start resolving browser while we point on them, you can see it in status bar, and get to the final URL which is allowed to Browser.

SO i think being a machine, Browser shows correct URL until any script is there in URL.