- From: Close, Tyler J. <tyler.close@hp.com>
- Date: Wed, 22 Nov 2006 13:44:08 -0600
- To: <public-wsc-wg@w3.org>
For ACTION-6: Formalize the statement regarding users not relying on information within URL strings for establishing context (or security context) Evolving text at: http://www.w3.org/2006/WSC/wiki/TrustMe Initial text is: Similar to the HTML page it identifies, a URL is itself content under the control of the host server. Like HTML, there are some restrictions on the overall form and syntax of the URL; however, within these bounds the content provider has significant freedom to craft a URL that communicates the content provider's message. This feature can be used to significant advantage by both legitimate content providers and phishers. The browser must not present the page URL as if it were any more reliable than the page content. In particular, presenting the page URL as if it were content that can be accurately vetted by the user is misleading and assists the phisher. Multiple studies [1] have demonstrated that even an experienced user who has been alerted to the possibility of fraud is unable to reliably perform this vetting task. The content of a URL can be just as deceptive as the content of a web page, and so is not a usable source of security context information for the user. [1] http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf
Received on Wednesday, 22 November 2006 19:55:32 UTC