Custom link text can be used for phishing

[babolivier]

Your use case

This is a continuation of #6532

Since Element allows users to use markdown links, it's possible to make a link look like it leads to a different website than it actually does, for example:

[good.com](evil.com)

Have you considered any alternatives?

Some discussion has happened in #6532 with some proposed solutions. The solution that seems to gather most consensus seems to be adding an alert like the one Thunderbird has:

Which it looks like Element iOS already implements according to #6532 (comment)

Additional context

I wasn't sure what template to use to file this issue. The original issue was triaged as an enhancement request so I went for that, but feel free to fix the labels if it's wrong. Ideally #6532 could just be reopened (it was closed by mistake by a PR that didn't actually fix it) but I'm told this would confuse processes in place.

[turt2live]

for context, the solution to #6532 was to rely on the browser's tooltip for these links, and to add a tooltip on desktop. We could probably just turn on the same tooltip for web given it's painful to test on Desktop whenever we need to touch the code anyways

[babolivier]

for context, the solution to #6532 was to rely on the browser's tooltip for these links, and to add a tooltip on desktop

I think there's a misunderstanding here. From what I can see, the tooltip solution was fixing an issue that was related to #6532 and the fix was misidentified as fixing that issue. It's also not clear whether the first issue originally described the same thing as this one (hiding the target of a link with a "click here" vs misleading the user by making them think they're clicking on a link to e.g. good.com but they're actually clicking on a link to e.g. evil.com), but over the course of the discussion I'd say it definitely turned into what this issue is about.

I think a tooltip is far from enough as from my experience people (me included) click on links that look like URLs mostly through muscle memory, and therefore either they don't see the tooltip at all or they only do once they've already clicked and it's too late.

If having a blocking modal as Discord or Thunderbird has is a real pain, I'd rather this issue stays open for longer until someone gets to properly fixing it, rather than it gets closed by a quicker/easier solution that doesn't really do the job.

To be clear: I think adding a tooltip would be nice, I just don't think it fully solves what this issue is about.

[dkasak]

Agreed with @babolivier. We need to fix this by displaying a Discord/Thunderbird-style tooltip, as already implemented in Element Android and Element iOS.

@nadonomy: I don't think there is much design needed here if the implementation already existing in those clients is adequate (and it looks fine to me), in which case we should just copy it to Element Web/Desktop. If it's not adequate, we also need to change the existing implementations because we should strive for the behaviour and looks of the protection to be uniform.

[nadonomy]

@dkasak happy to upgrade from tooltip to modal - if we know who would be working on this we can find a designer to pair on copy/content. Or, we can iterate on those details in review.