RE: ACTION6: URL display as anti-pattern

Hi George, 

George Staikos wrote:
>    This is a very interesting point.

Thanks.

>  It seems to me that the pure  
> domain name we are connected to is what we are concerned with.   
> Although that can be "fudged" with, it is much more obvious than
> when we have the entire URL.  Perhaps the entire URL should become
> an 'advanced' feature, used for creating or passing links around.

I think even asking the user to vet the domain name is asking too much.
As humans, we're just not very good at noticing deceptive changes in the
actual characters of an expected text. As I think Thomas phrased it
during the f2f, we read in error correcting mode. All the phishing
studies I've read have borne out this theory. Domain names can be very
deceptive: www.bankofthevvest.com, paypal.secure.com, paypa1.com, etc.
We need to provide the user with a site identifier which will not
attempt to deceive the user. This means we can't use text that came from
the potential attacker.

Frankly, I think we would be better off removing the Location bar from
the default browser user interface. I think it does more harm than good.
I know this sounds like a huge change, so I'll float an idea that we can
chew on until we get to the stage of the working group where we're
working on these specifics. Consider replacing the Location bar with a
slightly tweaked search bar. This search bar is different from today's
search bar in two important ways: it immediately clears its display
after submitting its search; and it does a GET, instead of a search, if
a URL is entered, but again immediately clears its display. Such a
search bar is not all that different from today's Location bar. If we
went in this direction, the only site identifier provided by the chrome
would be something like a petname tool, or an EV certificate display. We
would still need to do some work to integrate this display into the
browsing workflow, so that the site identifier is not ignored by the
user. I've got some ideas on how to do that.

Thoughts? Would Konqueror seriously consider dropping the Location bar
from the default user interface? Or is it too big a change? Pushing in
this same direction, I'ld like to see the browser move all potentially
misleading data out of the chrome area, providing a graphically clear
dividing line between what is reliable and what is suspect.

Tyler

On 22-Nov-06, at 7:44 PM, Close, Tyler J. wrote:
> For ACTION-6: Formalize the statement regarding users not relying on 
> information within URL strings for establishing context (or security
> context)
>
> Evolving text at: http://www.w3.org/2006/WSC/wiki/TrustMe
>
> Initial text is:
>
> Similar to the HTML page it identifies, a URL is itself content under 
> the control of the host server. Like HTML, there are some restrictions

> on the overall form and syntax of the URL; however, within these 
> bounds the content provider has significant freedom to craft a URL 
> that communicates the content provider's message. This feature can be 
> used to significant advantage by both legitimate content providers and

> phishers.
>
> The browser must not present the page URL as if it were any more 
> reliable than the page content. In particular, presenting the page URL

> as if it were content that can be accurately vetted by the user is 
> misleading and assists the phisher. Multiple studies [1] have 
> demonstrated that even an experienced user who has been alerted to the

> possibility of fraud is unable to reliably perform this vetting task.
> The content of a URL can be just as deceptive as the content of a web 
> page, and so is not a usable source of security context information 
> for the user.
>
> [1] http://people.deas.harvard.edu/~rachna/papers/
> why_phishing_works.pdf
>

--
George Staikos
KDE Developer				http://www.kde.org/
Staikos Computing Services Inc.		http://www.staikos.net/

Received on Monday, 4 December 2006 19:52:07 UTC