[technology taskforce] Google Developers : Humans can't read URLs. How can we fix it? - HTTP 203

Dev Anand Teelucksingh devtee at gmail.com
Sat Feb 8 11:50:00 UTC 2020 

Another point I missed - one could  try  verify the owner of the url from
the Whois if they were aware of Whois in the first place. But it seems
likely that the replacement to Whois data underway with the EPDP
discussions (triggered by the GDPR) will create barriers to see who owns a
domain.

Dev Anand

On Sat, 8 Feb 2020 at 7:33 AM, Dev Anand Teelucksingh <devtee at gmail.com>
wrote:

> Well most persons would
> - click on links,
> - see visually the site looks like the site they are used to,
> - may see a padlock so they think it’s safe ;  - may see from the url bar
> if the domain is the one they are accustomed to ;
> - see the name of the company/service they are going to as part of the
> long URL and assume it’s legit.
>
> - consider how long URLs  to documents or files are delivered
> https://community.icann.org/display/atlarge/2020-01-27+At-Large+Technology+Task+Force+Call?preview=/126420432/126422910/atlarge-technology-taskforce-27jan20-en.pdf
>
> A bad person could create a link like
>
> https://community.icann.org.can.work/display/atlarge/2020-01-27+At-Large+Technology+Task+Force+Call?preview=/126420432/126422910/atlarge-technology-taskforce-27jan20-en.pdf
>
> and I dare say most would find it hard to figure out whether it’s legit or
> not. And if the link to the file is a malware file that opens and executed
> on clicking, then it’s too late.
>
> Dev Anand
>
> On Fri, 7 Feb 2020 at 3:59 PM, Johan Helsingius <julf at julf.com> wrote:
>
>> The fact is that people click on links and do searches, they don't type
>> in domain addresses.
>>
>> Anyway, how do you know "mybankinfo.com" is a safe site in the first
>> place? And if someone can steal credentials or place malware, looking at
>> the URL won't help.
>>
>>         Julf
>>
>> On 07-02-2020 20:52, Dev Anand Teelucksingh wrote:
>> > A large problem is when bad persons obscure the domains of companies in
>> > phishing campaigns so that persons go to the bad persons' website on
>> > another domain and steal their credentials or get malware installed.
>> >
>> > So say you get an email link from a trusted person whose been hacked
>> > saying - "hey we're not sure your paycheck was delivered to mybankinfo.
>> > Can you login to mybankinfo.com.paymentlogin.info
>> > <http://mybankinfo.com.paymentlogin.info> and check?
>> > The challenge is that persons may just see "mybankinfo.com
>> > <http://mybankinfo.com>" and assume they are going to the
>> mybankinfo.com
>> > <http://mybankinfo.com> site.
>> > And because they clicked on the link, how would the browser "know" what
>> > the site you really intended to go to?
>> >
>> > Dev Anand
>> >
>> > On Fri, Feb 7, 2020 at 3:04 PM Johan Helsingius <julf at julf.com
>> > <mailto:julf at julf.com>> wrote:
>> >
>> >     On 07-02-2020 19:49, Dev Anand Teelucksingh wrote:
>> >     > Hmm....How would persons know what is the website they are
>> viewing on
>> >     > without the URL?
>> >
>> >     How many users check out the website info in URLs anyway? How will
>> they
>> >     know that Mybankinfo.com is OK, but mybank.info <http://mybank.info
>> >
>> >     isn't?
>> >
>> >     Shouldn't it be the job of the browser to check if the web site is
>> the
>> >     one you want to talk to (based on certificates)?
>> >
>> >             Julf
>> >
>> >     _______________________________________________
>> >     ttf mailing list
>> >     ttf at atlarge-lists.icann.org <mailto:ttf at atlarge-lists.icann.org>
>> >     https://mm.icann.org/mailman/listinfo/ttf
>> >
>> >     _______________________________________________
>> >     By submitting your personal data, you consent to the processing of
>> >     your personal data for purposes of subscribing to this mailing list
>> >     accordance with the ICANN Privacy Policy
>> >     (https://www.icann.org/privacy/policy) and the website Terms of
>> >     Service (https://www.icann.org/privacy/tos). You can visit the
>> >     Mailman link above to change your membership status or
>> >     configuration, including unsubscribing, setting digest-style
>> >     delivery or disabling delivery altogether (e.g., for a vacation),
>> >     and so on.
>> >
>> >
>> > _______________________________________________
>> > ttf mailing list
>> > ttf at atlarge-lists.icann.org
>> > https://mm.icann.org/mailman/listinfo/ttf
>> >
>> > _______________________________________________
>> > By submitting your personal data, you consent to the processing of your
>> personal data for purposes of subscribing to this mailing list accordance
>> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
>> the website Terms of Service (https://www.icann.org/privacy/tos). You
>> can visit the Mailman link above to change your membership status or
>> configuration, including unsubscribing, setting digest-style delivery or
>> disabling delivery altogether (e.g., for a vacation), and so on.
>> >
>>
>> _______________________________________________
>> ttf mailing list
>> ttf at atlarge-lists.icann.org
>> https://mm.icann.org/mailman/listinfo/ttf
>>
>> _______________________________________________
>> By submitting your personal data, you consent to the processing of your
>> personal data for purposes of subscribing to this mailing list accordance
>> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
>> the website Terms of Service (https://www.icann.org/privacy/tos). You
>> can visit the Mailman link above to change your membership status or
>> configuration, including unsubscribing, setting digest-style delivery or
>> disabling delivery altogether (e.g., for a vacation), and so on.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ttf/attachments/20200208/3460cb95/attachment-0001.html>

More information about the ttf mailing list