> "Also, (2) if you want to protect other people from falling victims to scams like these: tell them to always look at the url bar. Always."
This is good advice, as things stand right now, it is in fact the best advice we can give.
In absolute terms it is borderline useless advice. Many companies still communicate from and operate from domains other than their well-known main domain.
How is anybody supposed to know that windowsupdate.com is a legit Microsoft domain? What about windowsazure.com? How do you know that fbcdn.net belongs to Facebook, but fbabc.com does not. Why isn't gdynamic.com a Google asset like gstatic.com. lufthansa.com, lufthansa.de, lufthansa.at, lufthansa.ch are all legit, why are lufthansa.li and lufthansa.lu not?
Sure, you can check WHOIS, but that just shifts the issue one level lower.
"[..] always look at the url bar." - Please do, but don't expect it to be enough to be 100% safe. In the world we live in anyone can be phished.
There has also been a push by Google and others lately to "dumb down" the url bar to hide the full address from users. Not sure why but I assume the justification would be some misguided attempt at making it look nicer while the real reason is somehow ad related.
One of the justifications is that showing only the hostname will make it easier to recognize malicious hostnames; as it is, the typical non-technical user just sees a bunch of stuff, doesn't really know how to distinguish hostname from path.
They would see nothing becaue they do not look there anymore at all. Average person would think:"it's some bug with showing the name of the site" and would ignore it because users get used to the 'barely working everything' with computers these days.
The idea is not to make phishing look nice to the victim, it's to make it more obvious that it's phishing to the attempted victim. The path component is irrelevant to detecting phishing, but the host component is very relevant.
I don't know if there's any research on users to confirm that this works. It would be good to do such research before making such a change, if that's the motivation for the change. But it seems plausible to me.
>... The path component is irrelevant to detecting phishing ...
What become irrelevant is the AddressBar itself for the user.
User simply doesn't look at it at all because usually it is not changing with each click. So it appears irrelevant and disconnected from the actions user takes.
It looks for non-technical person as "some name of the web site which doesn't always shows the right name, but it's ok because hey nothing works perfectly on computer anyway ... so it doesn't matter". This is how it looks to the average person. They do not even understand why it's there. "Just takes the space ... Why it's there? Site shows name anyway on the page ... " They just have no idea what is going on thanks to this wonderful idea of removing the real address bar ...
Not that they were too much aware before but at least you could explain them ... not anymore.
According to my experience non-technical people just lost the concept of url completely and do not even know where it is. Even when one asks them about it specifically. These are the 'real' results of this idiotic idea which I observe in practice and I unfortunately I observe it too frequently to ignore it. But hey .. downvoters of my previous sarcastic post seems to be very happy to ignore the reality. They would rather stick to their wise decision and downvote reality if they do not like it. Good luck with that.
It isn't just Google. Multiple browsers have flirted with hiding it.
There are various mindsets that lead to want to do that - one designer I know calls it a debugging tool that should never have been released in the first place.
For others, it is clearly about controlling the user with various justifications.
(I consider it a canary. Its removal will be a signal that the HugeCos are comfortable relegating the non-corporate web to the fringe, Usenet-style. It will be there, and you can get to it if you go way out of your way, but what it there will mostly be automated spam and weirdness, tons of examples of specific use cases, and a few folks who have been arguing with each other since 1992.)
> one designer I know calls it a debugging tool that should never have been released in the first place
I've heard similar comments but I don't understand how people would be expected to navigate around the internet? Is the idea that Google's search input should replace it? So if I want to go to sec.gov I should search SEC and click the link (hopefully) provided at the top of the results rather than just go there directly? It just doesn't make sense to me.
In my limited experience, most browsers do what you describe already. Unless you type a 100% correct URL (and sometimes even if you do), a normal browser will send your URL string to Google (or similar entity), who will send back a redirect. The process is fast enought for you not to notice.
It is often possible (if hard) to configure browsers to do traditional URL resolving, but I wouldn’t bet on it always being possible. Google certainly has every reason to disallow reconfiguring their own browser to not send data to Google.
The url you type is 100% correct. Sure, maybe you made a typo, but the browser didn't know that. It isn't sending your url to Google and waiting for a redirect. A redirect to what? A different url?
This and the proliferation of gold-rush TLDs like the .icu mentioned in the article make me feel like we're pretty well all the way there. For all my fighting the good fight, I'm just one more voice in the wilderness, though, and everyone wants their magic boxes without caring what's going on inside them - until they get bitten.
> There has also been a push by Google and others lately to "dumb down" the url bar to hide the full address from users. Not sure why but I assume the justification would be some misguided attempt at making it look nicer while the real reason is somehow ad related.
Suggesting Google might do anything without ad-related motives is probably too generous, but I've always thought that this was an optimisation in the sense that it's built on optimism: when everything's working well, most of what's in the URL bar is irrelevant. So the bar is built towards working well in the best case, at the expense of becoming much less useful in the worse (and probably more common) case.
Hiding/obscuring details from the URL bar seems like much less of a big deal if the goal is to rehost someone else's content. The value statement of the URL goes down a lot in that case, and the push to drive users away from it starts to make sense.
Either which way, I still hate it - The only non-work related ticket I've put in for chromium was a request for an option to disable this behavior entirely.
Safari has been doing this for years. The justification is partly because it makes the domain more obvious, especially on a mobile device where you have limited screen width. https://www.netflix.com.evilcorp.com would simply show up as evilcorp.com if only the domain is shown.
Plus the redirect shenanigans some companies pull is pretty ridiculous too. It seems like logging into an intranet protected by MS login it flashes through about 15 different domains that I can't even make out.
Two days back I searched for Indian Govt. Tax website in Google(It had changed the website recently) after DDG did not produce desired result and logged into one of the top results.
The password manager didn't suggest my password, I attributed it to recently changed website domain or site quirk and quickly copied my password from the manager to the site only to get SSL certificate revoked notification.
I have logged into a phishing site mimicking the old url of Indian Govt.'s tax website. I quickly tweeted out to some journalists[1], The website went down soon enough.
I've never been phished before AFAIK(This wasn't targeted, I've protected myself from couple of targeted attacks & helped several others in the past) and even though this is embarrassing I want to state couple of reasons why my usual rationale didn't work this time.
1. The new tax website being quirky(to say the least) was on news constantly and my CA kept complaining about it for past several days. I expected a quirky website even before I logged in. Even our Finance Minister had complained publicly to the Chairman of Infosys(Who developed it) on Twitter about the issues with the site days earlier.
2. I made couple of prior searches in Google as I didn't get the website where there was login, So I think Google produced less trustworthy results on my final attempt. I've noticed this happen in the past as well in the Google i.e. When you enter the same search term couple of times, 3rd or 4th results are not same as 1st in the front page.
3. The muscle memory to check https and URL didn't help much as the site had SSL and the URL was close enough to old IT website's unmemorable subdomain URL. The 'filing' was 'filling', Domain was co.in instead of gov.in. (Which of course I didn't notice).
4. Password manager not working should've caused me to check the domain again, But (1).
I presume this was intended sequence of the events for the scammer, Especially since many are searching for old Income Tax website. But I never expected the phishing site to make it to Google front page this soon.
Plus, many companies outsource many services to some SaaS third party, like payments, order tracking, even inventory and other stuff. They come with funny domain names and it's borderline impossible to tell what's legit and what's not.
And now I should tell my 70+ year old mom to "always look at the url bar"? That's entirely useless.
This is good advice, as things stand right now, it is in fact the best advice we can give.
In absolute terms it is borderline useless advice. Many companies still communicate from and operate from domains other than their well-known main domain.
How is anybody supposed to know that windowsupdate.com is a legit Microsoft domain? What about windowsazure.com? How do you know that fbcdn.net belongs to Facebook, but fbabc.com does not. Why isn't gdynamic.com a Google asset like gstatic.com. lufthansa.com, lufthansa.de, lufthansa.at, lufthansa.ch are all legit, why are lufthansa.li and lufthansa.lu not?
Sure, you can check WHOIS, but that just shifts the issue one level lower.
"[..] always look at the url bar." - Please do, but don't expect it to be enough to be 100% safe. In the world we live in anyone can be phished.