Proposed change to the HTML Standard for anchor tags

This blog post is a proposed change to the HTML Standard for anchor tags. I’m not sure how to write or submit an RFC to the Internet Engineering Task Force and/or whoever manages the HTML Living Standard. Feel free to email me if you’d like to discuss this with me.

Problem: The HTML Standard for anchor tags lets you show one URL but send users to another

Currently you can write a tag like <a href="https://accounts.googlee.co/signin">https://accounts.google.com/signin</a> where you display a legitimate URL and then send users to a look-alike URL. Many users will just see the google.com part of the display text and trust that the link is safe. This is a drawback to trusting the display text of a link. I believe it does more harm than good to allow website designers to write an anchor tag which displays a different URL than it links to.

Proposed change

I propose that when displaying an anchor tag if the display text includes the http:// OR https:// or includes a . AND a / the display text should be ignored and instead the URL should be displayed. It may be ideal to display the URL if non-allow listed special characters are used as special charsets could be used to circumvent this change and threat actors are creative. I’ll leave this decision to security professionals.

Risks of the proposed change

This may show URLs intended to be hidden from users for example Twitter uses t.co links but then displays the actual link in a Tweet. Twitter would need to modify their platform to either track link clicks in another way (for example a JavaScript callback function that runs on clicking the link to submit telemetry data or have something like https://twitter.com/redirect=https://google.com&tweet_id=123456 to accommodate for a change to the anchor tag specification. It could similarly affect other short-link/click-tracking services.

Benefits of proposed change

The benefit is that display text in links could not be used as a malware or phishing vectors and users would be able to trust that the link they see is legitimate. Internet users should be able to trust that the link they see is the link they go to. While a website can always use its own redirector to hide the final destination it is in the best interest of internet users to not be able to show a fake url.

Conclusion

I hope web designers, developers, and software vendors discuss this change and see how changes to the anchor tag html standard could improve web security and reduce phishing and malware attacks.