> URIs have a rather well defined type and you can easily detect a malformed URI.
The average internet user is unlikely to be able to detect a malicious URL. Do you think the average person can tell which of these URLs is legitimate, and owned by Example inc.?
- example.com/profiles/al
- example.com.profiles.al
- examp1e.com/profiles/al
- example.co/profiles/al
etc etc.
Safari already only shows the hostname to help with visual identification - this doesn't help with different-but-similar hosts, but it does help regular users to see what website they're on, if they are unfamiliar with the protocol/host/path structure of URLs. Which they shouldn't have to be.
I disagree that what Safari is doing is good for the user. Safari used to show https://stripe.ian.sh/ as "Stripe, Inc". By hiding the URL, it significantly increased the phishing potential of the website. Feel free to visit the above false stripe site, its not malicious and has a great write up in the issue. In this case they are putting a lot of blame on EV Certificates - which I agree causes more harm then good - but Safari's decision to cover up the URL made the issue significantly worse.
that is unrelated to the "hide the path" functionality - as you pointed out, it's because they displayed the EV name instead of the URL. That's a separate, and much more harmful, UI choice - because EV certificates are poor evidence of association.
> The average internet user is unlikely to be able to detect a malicious URL. Do you think the average person can tell which of these URLs is legitimate, and owned by Example inc.?
I think you are missing my point of that statement, which is that this is not a problem with the type of the URI, and that there is no basis for the idea that "If you advocate for type safety within software, you should also advocate for a better system than URIs."
Either way, to answer your question, no one can tell which of those URLs are legitimate without Example Inc. first communicating their official address to them.
> Safari already only shows the hostname to help with visual identification - this doesn't help with different-but-similar hosts, but it does help regular users to see what website they're on, if they are unfamiliar with the protocol/host/path structure of URLs. Which they shouldn't have to be.
I'm against the idea that a user shouldn't need to know what they are doing on such a fundamental level. This is an attitude that people tend to have towards software and computers in general that doesn't really exist for other useful-but-dangerous technology with mass appeal like cars. It promotes magical thinking which I think may leave the users even less aware of the risks than they already are. Risks that don't somehow stop existing because you hide trivial information from the user. If properly educating people in using these systems is not an option, maybe letting them touch the hot stove isn't such a bad thing.
When you try to water some information embedded in an URI down for the dumbest user, you invariably hide or even misrepresent information. Safari only displaying host names is a great example of this, but another favorite of mine is how Chrome displays "Secure" in the address bar to indicate HTTPS with a verified certificate. In reality, it is of course only a very limited sense in which anything I do at that address is secure. A sense which the user that this was watered down for most likely won't recognize, instead being instilled with a false sense of security. By all means, color code the different parts of the URI, add tool tips or whatever, but don't hide what's actually there from someone that has every reason to care.
When some user on example.com starts impersonating Al, how does Safari hiding everything but the domain help the user differentiate "example.com/profiles/al" from "example.com/profiles/fakeal"?
I'm not trying to be BOFH here... but it's not unreasonable to expect web users to have the same basic knowledge of a URL that they have for a telephone number. Most(perhaps nearly all?) of telephone users in the US know that in 123-456-7890, the "123" is an area code, "456" is an exchange, and "7890" is the line number. URLs are not that different. A similar knowledge of URLs would serve users well.
You're right, my phone number comment really didn't add up after I read your response. I can't think of a good solution for your example, even something as well known as Steam or American Eagle falls apart when the average person is presented with multiple choices. Short of spending loads of $$$ buying every domain similar to your company name, I don't see any good solutions. Sad state of affairs :(
It would, but the web is a mass-market project - while it would be nice if everyone understood how to read a URL, we should cater to the lowest (within reason) common denominator - especially when it comes to security.
The threat model for phone numbers is considerably different, not least due to the link-based nature of the web and email. The URL takes on the role of both the number and the caller ID (if caller ID didn't suck) - you should be able to be confident that you're talking to who you think you're talking to.
The average internet user is unlikely to be able to detect a malicious URL. Do you think the average person can tell which of these URLs is legitimate, and owned by Example inc.?
- example.com/profiles/al
- example.com.profiles.al
- examp1e.com/profiles/al
- example.co/profiles/al
etc etc.
Safari already only shows the hostname to help with visual identification - this doesn't help with different-but-similar hosts, but it does help regular users to see what website they're on, if they are unfamiliar with the protocol/host/path structure of URLs. Which they shouldn't have to be.