Last week Steve Gibson of Gibson Research Corporation (GRC) made some really interesting observations about parsing URLs, in particular when you’re talking to less technically inclined people (think parents) about staying safe on the web. There are certain rules that experienced web surfers follow to stay safe. There are URLs that set off red flags and you just know to stay away from them. But how do you explain them to less experienced users? Here’s an except from Security Now podcast episode 229, The Rational Rejection of Security Advice:
And then there’s the problem of www.paypa1.com. Looks like PayPal to a cursory view. But it’s a number one. And so we have to explain to them, okay, that’s not the same. So look carefully, make sure every letter is what you expect, not something that looks similar. Oh, and by the way, www.paypal.ru, that’s bad, too. You know, there is no PayPal in Russia. You can pretty much guarantee that you’re going to have a bad experience if you go to PayPal.ru. So then we have to explain to them that the com is important. But then the next thing over, the second level domain name, is really where you’re going. Except there’s Amazon.co.uk. That’s good. But BofA.co.uk, oh, that’s bad. So, I mean, think about how incredibly confusing the knowledge of how to parse a URL … and another favorite of mine is if we tell them that you have to read from the right to the left because of course URLs, you know, we have com as the top level domain, and then the second level domain is where you’re going. So, for example, we explain that www.paypal.com.drevil.com… that’s bad, too, because that’s really DrEvil.com, and it’s a machine down the tree from him… And then – I’ll wrap this up. Because if then they’re presented with www.drevil.com/www.paypal.com, now they’re thinking, oh, good… It’s fine because it’s PayPal.com on the right. But no, that’s behind a slash, so that’s a directory of DrEvil.com, and you’re in trouble… I mean, there’s so many ways this can be wrong.