

Ask HN: Why do we break “hover to uncover” in e-mails? - techsupporter

Almost every list of security recommendations includes some advice telling users to hover over a link in an e-mail to make sure it goes to the intended place, especially for sensitive e-mails like banks or that may ask for credentials.  So, why do so many mail-sending services break this?  Not only do they use links that don&#x27;t match, I&#x27;ve seen several that use domains that look like outright scams.<p>I understand wanting to track clicks and e-mail opens but there needs to be a little sanity here.  Take this example from a Twilio &quot;your account has a ToS update&quot; e-mail I just received:<p>- The text says the URL is &quot;www.twilio.com&#x2F;legal&#x2F;tos&quot;<p>- The actual (modified by me to be generic) URL is: http:&#x2F;&#x2F;s815114181.t.en25.com&#x2F;e&#x2F;er?s=987654321&amp;lid=0011&amp;elq=123456789012345678901234567890ab<p>Why on Earth would we want users to click a link that looks like that?  Why not at least use a link that is the same as the actual link but with query parameters or, even better, why track the clicking of this link at all?
======
atian
> but with query parameters

often the systems that send these emails incorporate an analytics service.
query parameters would require an integration with the site's traffic log.
privacy implications for site owners

why

\- Disconnect between those who care about security and those who engineer
marketing email systems.

\- analytics is useful (a/b testing), especially in internet marketing

------
striking
Tracking who clicks what links in emails. Sometimes it's done automatically by
mailing tools that don't know any better. They probably "automagically" track
all the analytics for overzealous marketing teams, which is a security risk.

------
vortico
Write an email to your email provider complaining about the security flaw, as
they are clearly manipulating links for their purposes.

~~~
detaro
Given that the example he shows points to a marketing analytics service, it's
quite likely that twilio inserted that and not his provider.

