Safelinks are a fragile foundation for publishing
https://shkspr.mobi/blog/2024/02/safelinks-are-a-fragile-foundation-for-publishing/
Microsoft loves you and wants to protect you. So every time you receive an email with a link in it, Microsoft Outlook helpfully rewrites it so that it goes through their "safelinks" system.
Safelinks allow your administrator, or someone at Microsoft, to stop you visiting a link which is malicious or suspicious. Rather than going to example.com, your link now goes to safelinks.protection.outlook.com/?url=example.com.
Hurrah! If you accidentally click on a naughty link you won't cause chaos and ructions.
Except, there's a tiny problem. People like to copy and paste links that they receive. Someone sends an email which says "here's the link to that report you asked for" which then gets copied into a document or a web page.
For example, I was reading this official document from the UK's Department of Health and Social Care. Slap bang in the middle is a link to another report:
That forces everyone who visits that link to go through Microsoft's proxy. That might protect users if a link later becomes suspicious. But, more likely, it will be used in analytics to further profile users who click on links. It also undermines a user's ability to see the final destination of a link unless they can manually URl-decode content in their head.
It appears that every large organisation which uses Microsoft is prone to this failure. Lots of UK Government departments publish content with safelinks:
The US Military too:
It's all over Twitter:
And there are hundreds of academic works infested:
Look, I get why people do this. They copy a link from an email, paste it in, click it, and it works. No one writes raw HTML by hand, nor should they have to. Our WYSIWYG tools work really well and hide all the mumbo-jumbo. Copy editors look at text; not hypertext. It's only nerds like me who hover over a link before clicking on it.
Perhaps I should stop worrying? Perhaps it is OK that Microsoft intercepts the clicks from people all around the world? Perhaps they can competently run a proxy which detects and blocks inappropriate content? Perhaps they won't ever abuse that facility?
Here's my prediction. In the next five or so years, Microsoft is going to accidentally shut off *.safelinks.protection.outlook.com and a million copy-and-pasted links across the web are going to break.
Think I'm over-reacting? A decade ago, Microsoft got rid of their MS Tag product and, shortly after, all their proxy links were shut off. Similarly, other proxies like McAfee have shut down with little warning.
Or maybe Microsoft's sub-domains will be hijacked?
Either way, if you work in digital publishing, please make sure that your links point directly to the content that you want; not to Microsoft's safelinks service.
https://shkspr.mobi/blog/2024/02/safelinks-are-a-fragile-foundation-for-publishing/
#microsoft #privacy #web
Terence Eden’s Blog /
npub1ly…vruez
2024-02-05 12:34:10
Author Public Key
npub1lywey3rjuskr7kstpvwj3xafa56qrkfc6r7f665rxvw4sv2jw6ps5vruezSeen on
wss://nostr.momPublished at
2024-02-05 12:34:10Event JSON
{
"id": "12a968c29f7a3c3eba9f8a5a049126d8233cf5f16e91dfc20f57c287d06e36c8",
"pubkey": "f91d924472e42c3f5a0b0b1d289ba9ed3401d938d0fc9d6a83331d5831527683",
"created_at": 1707136450,
"kind": 1,
"tags": [
[
"t",
"microsoft"
],
[
"t",
"privacy"
],
[
"t",
"web"
],
[
"proxy",
"https://shkspr.mobi/blog/2024/02/safelinks-are-a-fragile-foundation-for-publishing/",
"activitypub"
]
],
"content": "Safelinks are a fragile foundation for publishing\nhttps://shkspr.mobi/blog/2024/02/safelinks-are-a-fragile-foundation-for-publishing/\n\nMicrosoft loves you and wants to protect you. So every time you receive an email with a link in it, Microsoft Outlook helpfully rewrites it so that it goes through their \"safelinks\" system.\n\nSafelinks allow your administrator, or someone at Microsoft, to stop you visiting a link which is malicious or suspicious. Rather than going to example.com, your link now goes to safelinks.protection.outlook.com/?url=example.com.\n\nHurrah! If you accidentally click on a naughty link you won't cause chaos and ructions.\n\nExcept, there's a tiny problem. People like to copy and paste links that they receive. Someone sends an email which says \"here's the link to that report you asked for\" which then gets copied into a document or a web page.\n\nFor example, I was reading this official document from the UK's Department of Health and Social Care. Slap bang in the middle is a link to another report:\n\n\n\nThat forces everyone who visits that link to go through Microsoft's proxy. That might protect users if a link later becomes suspicious. But, more likely, it will be used in analytics to further profile users who click on links. It also undermines a user's ability to see the final destination of a link unless they can manually URl-decode content in their head.\n\nIt appears that every large organisation which uses Microsoft is prone to this failure. Lots of UK Government departments publish content with safelinks:\n\n\nThe US Military too:\n\n\nIt's all over Twitter:\n\n\nAnd there are hundreds of academic works infested:\n\n\nLook, I get why people do this. They copy a link from an email, paste it in, click it, and it works. No one writes raw HTML by hand, nor should they have to. Our WYSIWYG tools work really well and hide all the mumbo-jumbo. Copy editors look at text; not hypertext. It's only nerds like me who hover over a link before clicking on it.\n\nPerhaps I should stop worrying? Perhaps it is OK that Microsoft intercepts the clicks from people all around the world? Perhaps they can competently run a proxy which detects and blocks inappropriate content? Perhaps they won't ever abuse that facility?\n\nHere's my prediction. In the next five or so years, Microsoft is going to accidentally shut off *.safelinks.protection.outlook.com and a million copy-and-pasted links across the web are going to break.\n\nThink I'm over-reacting? A decade ago, Microsoft got rid of their MS Tag product and, shortly after, all their proxy links were shut off. Similarly, other proxies like McAfee have shut down with little warning.\n\nOr maybe Microsoft's sub-domains will be hijacked?\n\nEither way, if you work in digital publishing, please make sure that your links point directly to the content that you want; not to Microsoft's safelinks service.\n\nhttps://shkspr.mobi/blog/2024/02/safelinks-are-a-fragile-foundation-for-publishing/\n\n#microsoft #privacy #web",
"sig": "5581a1bc7020223e3d2782742a850a0ce02f7547843a43763fc9932043f0d6ca580587bdfb8b7287c69512b2208c0275a8da4e5a34cee9cd4a54b96395ab7b0c"
}