NcamGnrvngu/website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

first draft
All checks were successful
/ build (push) Successful in 25s
Details
/ reuse-compliance (push) Successful in 11s
Details

Browse source
This commit is contained in:
Ncam Gnrvngu 2025-06-02 13:21:41 +02:00
parent 0008b23234
commit 9786b82d6e
1 changed files with 31 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

31
content/post/links-in-emails.md Normal file
View file

@ -0,0 +1,31 @@
+++
title = "Rant: Links in Emails"
date = "2025-06-02"
+++
# Phishing
A phishing attack requires two steps.
1. Bring users onto a fake website
2. Ask for their credentials
This means there are two ways of stopping phishing for your service. You can either implement secure, phishing resistent 2FA like FIDO-2 or Passkeys or you can prevent useres from getting onto fake websites.
There are of course a lot of ways how an individual can be phished. The more obvious ones are for example typosquatting, where malicious actors register common typos of popular domain names. A phisher would for example register aamazon.com and hope someone mistypes amazon.com.
This is of course a very inefficient way of aquiring targets and can be easily prevented by just registering these typos yourself. gooogle.com for example redirects to google.com.
There is however another highly efficient way of getting people onto your phishing website: E-Mails. Just send the user a fake security alert with a nice little "More info" button et voila: You have a victim.
# Why this works
This method, of course, only works because the users are used to the pattern of links in E-Mails. For years companys have been sending email confirmations, 2FA mails and security alerts with a link that contains a long token and that users can just conveniently click on.
From a security standpoint this is great. Links allow you to use really long tokens because there is no need to type them into your website. Users can just click and go. Links can however be faked. The link text has no relationship with the actual URL it points to.
"But E-Mail clients show the URL when you hover over a link". Yes they do. Do you always check the link?. And is live.com an official Microsoft domain? Yes you should always check the links you click on. This can however be difficult, especially in the stress situations that spam mails seek to create.
So how could this be prevented.
# How can we fix it
There are of course multiple solutions to this problem. You could just stop sending E-Mails in favour of more secure communication channels or 2FA methods. This solution would be nice in a utopia where everything is secure and everyone cares about security, but is not possible in our current world.
We can however fix this with another pattern that is commonly used for 2FA: Codes in E-Mails. Security codes require the user to navigate to the website the're for manually. Sure you could send someone a fake code via E-Mail. But if they enter that code on the official website you gain nothing.
This pattern is nowadays mostly used for 2FA. That does not have to be so. Instead of sending a link with a token in your security warning you could then just ask the user to log in and ask for a code that is then sent to their inbox.
Of course these codes are shorter and therefore eaier to bruteforce than long tokens in links. This can however be circumvented by expiring the token after a couple of minutes. As a bonus the expiration also minimises the amount of time that a sensitive token is stored on an unencrypted E-Mail server.
Paired with a warning that "<insert company name here> will never send you links in E-Mails" this could irradicate most phishing scams.
I think thats enough gramatically questionable screaming into the void for now. I hope you enjoyed my first little blog post. Let me know on Mastodon what you think of it.