Primary CTA: what’s best for you
Secondary CTA: an alternative for you
> Modern software:
Primary CTA: what’s best for us
Secondary CTA: what’s acceptable to us
> It seems like everywhere I go, software is increasingly designed against me.
It's been a long time since Windows 95's "Where do you want to go today?" slogan. Now, every developer's slogan is "Here's where we allow you to go today--and we'll make it hard to go anywhere else."
A related one is all the various nags on consumer software that won't take NO for an answer.
Do you want to rate our app?
Later [YES]
It is extremely disrespectful as it basically ignores consent. It's the "rapist mentality" Louis Rossmann talks about. No means no,not "later", people.
If an app nags me to rate it, it gets 1 star. The only way we will ever see things improve is if people start punishing bad actors for their behavior, and it does at least get the app to stop nagging me so that's a plus.
Lately Google's image search started to do the same some time ago. Click on an image, and then on the link beneath the image - it first opens a redirection notice which needs to be confirm. Acting like it's something unusual to click on a link from a search result screen...
Probably because YouTube allows purchases of various stuff. A phishing link could likely easily be made to look exactly like YouTube
This is a common pattern to see today. Lots of examples that maintain the same CTA design (don't leave us. Don't waste your money on scammers, waste them on us please)
> A phishing link could likely easily be made to look exactly like YouTube
But you are still training your users to do the Windows Okay Okay Okay dance.
Phishing links are not fixed by adding hijacks, in fact I would probably then spend less time reviewing the link and more time trying to decide which double negative button I wish to click.
Everybody's got a party and if you leave, you ruin the party -- apparently. Isolated "walled gardens" are a kind of Intranet. Ingress requires buy-in (sign up, log in, identity proof, human proof); leaving means breaking out to the more transparent, connected internet, which is a big problem when data is dollars.
Maybe I'm reading too much into it. More and more patterns seem hostile, antagonistic to the user, and it seems like it's an adopted practice that's taken as a standard. I hope I'm wrong.
I gave up after reels were integrated and channelblocker broke. I dont think there is another website that had as big a shift from user focused to user hostile as youtube.
What's happening here is that Google wants to spy on which links you click and track your activity on that site by explicitly setting new cookies in the link's new tab from the URL params (re-bootstrapping a tracking cookie/etc to defeat opening it in an isolated tab or private browsing window), so they rewrite all links to point to their redirector endpoint.
Such an endpoint is vulnerable to "open redirect" exploits, where a redirect exploit on a trusted domain (google.com/youtube.com) is used to conceal a malicious link. The confirmation page is used to make the endpoint useless for such purposes.
But the confirmation page would be super annoying for normal users who intended to click the link, so there's a further mechanism where the redirector link has some ID that's also present in your cookies, so that as long as it is you who hits the redirector endpoint the confirmation page is bypassed - but if you try to use it in an "open redirect" attack your victim wouldn't have the matching cookie and thus would get the warning.
In their case they must be opening the link in a new context that doesn't share state (cookies/etc) with the old one (either deliberately or as a result of a privacy plug-in/feature) and so get the interstitial.
I can only reproduce this when the link is opened in a different session than it was generated in. Maybe some vulnerability they're trying to mitigate? No idea what it would be though.
This kind of interstitial warning was very common on old web forums to prevent people from being tricked by third parties with malicious links. I understand why you'd worry that Google might have reinvented it for self-interested purposes, but if that were the case why wouldn't they do it all the time?
Why does it not seem likely that spammers would attack YouTube and try to use their redirector to attack users to you?
The pattern attackers would use is to figure out how to use the redirector at
hxxps://www.youtube.com/redirect?event=channel_description&redir_token=QUFFLUhqbGhxcFJubU9YV0RqWkY3bVlnQUdtZFBTSG5Dd3xBQ3Jtc0treWdqWS1ZX2tFdWlUa3NmY09tc2RUOFN6VUh5WDB2eTFGbE5hUTlFY25VZHROLVgyMVRJR2Mzd0QySUxidGNHYkNOd1FqQXNsTk1zcFBLWF83UHMxTDRIaGdsSGJfRjFveHlwNS1FbUt6bXg3TmhFRQ&q=http%3A%2F%2Fwww.penguinrandomhouse.com
to point at www.looks-like-youtube-but-is-phishing.ru instead of ww.penguinrandomhouse.com. Then, when the attacker manages to take over someone's Facebook Messenger account, they send "check out this cool youtube video" to all of that user's friends. Because the URL has the domain youtube.com, it's trusted, so the'll click on the link. If the redirector simply redirected, a non-zero amount of victims would then have a tab opened to www.looks-like-youtube-but-is-phishing.ru that says they've been logged out of youtube, enter your username and password to login and watch this really really funny cat video that your mom/boyfriend/sister/crush/whatever just sent you.
> Classic software:
> Modern software: > It seems like everywhere I go, software is increasingly designed against me.It's been a long time since Windows 95's "Where do you want to go today?" slogan. Now, every developer's slogan is "Here's where we allow you to go today--and we'll make it hard to go anywhere else."
Here's where we get paid if we make you go today.
A related one is all the various nags on consumer software that won't take NO for an answer.
Do you want to rate our app?
Later [YES]
It is extremely disrespectful as it basically ignores consent. It's the "rapist mentality" Louis Rossmann talks about. No means no,not "later", people.
If an app nags me to rate it, it gets 1 star. The only way we will ever see things improve is if people start punishing bad actors for their behavior, and it does at least get the app to stop nagging me so that's a plus.
Lately Google's image search started to do the same some time ago. Click on an image, and then on the link beneath the image - it first opens a redirection notice which needs to be confirm. Acting like it's something unusual to click on a link from a search result screen...
Probably because YouTube allows purchases of various stuff. A phishing link could likely easily be made to look exactly like YouTube
This is a common pattern to see today. Lots of examples that maintain the same CTA design (don't leave us. Don't waste your money on scammers, waste them on us please)
> A phishing link could likely easily be made to look exactly like YouTube
But you are still training your users to do the Windows Okay Okay Okay dance.
Phishing links are not fixed by adding hijacks, in fact I would probably then spend less time reviewing the link and more time trying to decide which double negative button I wish to click.
Everybody's got a party and if you leave, you ruin the party -- apparently. Isolated "walled gardens" are a kind of Intranet. Ingress requires buy-in (sign up, log in, identity proof, human proof); leaving means breaking out to the more transparent, connected internet, which is a big problem when data is dollars.
Maybe I'm reading too much into it. More and more patterns seem hostile, antagonistic to the user, and it seems like it's an adopted practice that's taken as a standard. I hope I'm wrong.
I gave up after reels were integrated and channelblocker broke. I dont think there is another website that had as big a shift from user focused to user hostile as youtube.
What's happening here is that Google wants to spy on which links you click and track your activity on that site by explicitly setting new cookies in the link's new tab from the URL params (re-bootstrapping a tracking cookie/etc to defeat opening it in an isolated tab or private browsing window), so they rewrite all links to point to their redirector endpoint.
Such an endpoint is vulnerable to "open redirect" exploits, where a redirect exploit on a trusted domain (google.com/youtube.com) is used to conceal a malicious link. The confirmation page is used to make the endpoint useless for such purposes.
But the confirmation page would be super annoying for normal users who intended to click the link, so there's a further mechanism where the redirector link has some ID that's also present in your cookies, so that as long as it is you who hits the redirector endpoint the confirmation page is bypassed - but if you try to use it in an "open redirect" attack your victim wouldn't have the matching cookie and thus would get the warning.
In their case they must be opening the link in a new context that doesn't share state (cookies/etc) with the old one (either deliberately or as a result of a privacy plug-in/feature) and so get the interstitial.
I can only reproduce this when the link is opened in a different session than it was generated in. Maybe some vulnerability they're trying to mitigate? No idea what it would be though.
Come on dude.
This kind of interstitial warning was very common on old web forums to prevent people from being tricked by third parties with malicious links. I understand why you'd worry that Google might have reinvented it for self-interested purposes, but if that were the case why wouldn't they do it all the time?
Why does it not seem likely that spammers would attack YouTube and try to use their redirector to attack users to you?
The pattern attackers would use is to figure out how to use the redirector at hxxps://www.youtube.com/redirect?event=channel_description&redir_token=QUFFLUhqbGhxcFJubU9YV0RqWkY3bVlnQUdtZFBTSG5Dd3xBQ3Jtc0treWdqWS1ZX2tFdWlUa3NmY09tc2RUOFN6VUh5WDB2eTFGbE5hUTlFY25VZHROLVgyMVRJR2Mzd0QySUxidGNHYkNOd1FqQXNsTk1zcFBLWF83UHMxTDRIaGdsSGJfRjFveHlwNS1FbUt6bXg3TmhFRQ&q=http%3A%2F%2Fwww.penguinrandomhouse.com
to point at www.looks-like-youtube-but-is-phishing.ru instead of ww.penguinrandomhouse.com. Then, when the attacker manages to take over someone's Facebook Messenger account, they send "check out this cool youtube video" to all of that user's friends. Because the URL has the domain youtube.com, it's trusted, so the'll click on the link. If the redirector simply redirected, a non-zero amount of victims would then have a tab opened to www.looks-like-youtube-but-is-phishing.ru that says they've been logged out of youtube, enter your username and password to login and watch this really really funny cat video that your mom/boyfriend/sister/crush/whatever just sent you.