Open VIM-Arcange opened 6 years ago
This is a challenging problem. We want to protect people from phishing attempts, without detracting the overall user experience for the majority of users.
Check out Option 1 below. We could place a light border with a box-shadow on every single image displayed within comments. We need to have a state like this before the hover interaction, because a lot of our users will be on mobile devices without hover states. On hover, we can darken the shadow to make it even more obvious.
If Option 1 is too subtle, we could actually place an image icon above every single image as per Option 2. But first, lets try Option 1.
What about a pop up warning anytime someone is leaving the site? They can seem a little intrusive, but they should prevent anyone from unknowingly clicking on a link that takes them to an external site.
I think @TimCliff's idea could work, if there was a whitelist of known, non-phishing domains.
The popup warning would be best, coupled with a hover over border. The border would just be simple CSS (let's say green border). It should be as easy to understand as possible for non-tech savvy users.
I'm reluctant to use a pop-up warning any time a user clicks on a link to an external site. A better solution may be to combine a Steemit specific blacklist with a service like Google's Safe Browsing. This would allow us to block or trigger a pop-up warning when a link goes to known phishing / malware sites.
The problem with that is that many phishing attacks use URL shorteners like Bitly, which would seem to be a safe URL at first.
Having a box shadow on every image (without hover) could break the good looking appearance of some posts.
Many users make appropriate use of images to highlight their articles. I am thinking in particular of images with a transparent background.
One (imperfect) solution would be to display the shadow on mobile devices only.
@VIM-Arcange @roadscape What is the agreed method here? Do a hybrid ie: box shadow on hover for desktop and box shadow all the time for mobile?
Fix proposal in PR https://github.com/steemit/condenser/pull/3421
Many phishing attempts are using images as text to dupe users.
On recent example is described in this post: https://steemit.com/steemit/@arcange/phishing-attempts-are-running-and-use-fake-comments-with-images
To avoid this, steemit.com could highlight images when users hoover on it or add an easily identifiable sign that the "text" is actually an image.