I remember a couple of things from my earliest days when I learned about security.
- One was SQL injection, that was a “wow”, touché, and from that I learned to always quote (or actually to always use stored procedures in that era)
- Another was path traversal, and the fix was to always avoid user-controlled input for file systems if you could, or sanitize and anchor if you can’t
- The third was open redirects, and the answer was to not use them. Full stop. If you wanted redirects, they needed to be entered by a trusted source.
So why in 2026 does Google allow this?
https://meet.google.com/linkredirect?dest=https://vendiadvertising.com
Okay, I know why, but I don’t agree.
Our take on this is that tooltips are not a reliable security indicator, and can be tampered with in many ways. For this reason, we invest in technologies to detect and alert users about phishing and abuse instead. More generally, we hold that a small number of properly monitored redirectors offers fairly clear benefits and poses very little practical risk.
So is Google’s position that users should just blindly click all links because they can trust that Google made the bad ones go away?