Luc Gommans/ blog

Difficult URLs

Written on 2020-07-29

Since this comes up somewhat regularly and I keep writing examples anew, this is a small post with some difficult URLs.

The format of these items will be:

Click and hold the black area to reveal it. Try to think about it first and then see if you got it right. Here we go:

The next one is a bit of a trick question, but a real-world situation. We find this at customers fairly regularly. This link might be sent to you as part of a "password expired and needs to be changed" kind of message, if your organisation does that. If you work at, where does this link go?

The tricky parts of the above link are these:

I think we should agree that knowing where a link goes is not trivial.

All of these links can be made to have the green padlock, look identical to the originals, etc. That's all trivial and we should not tell people to look for those features to establish authenticity. The padlock indicates security, but not who you're talking to... well, it tells you that you're talking to whatever domain you're on, but figuring out which domain you're on turns out to be hard.

But luckily, in real-world cases, if you see a lot of weird-looking characters in a URL, you know something fishy is going on... right?[...]

This goes where, exactly? That's from the latest newsletter I received, completely legitimate, but there is no way to know when clicking the link.

Perhaps we should just tell users to not click links in emails. Your company wants you to change your password? Great, go to your company intranet the usual way. You need to login to your bank for some KYC procedure? No problem, just visit your bank the usual way.

Companies can also do their part by not putting links with calls to post-login actions in emails.