While this is a legitimate problem, the article seems to be a disguised advertisement for NordVPN and 1Password, who Troy Hunt is partnered with [1] [2]. There is a clear bias towards suggesting that the solution to the problem is that everyone signs up and pays for these services.<p>[1] <a href="https://www.troyhunt.com/im-partnering-with-nord-as-a-strategic-adviser/" rel="nofollow">https://www.troyhunt.com/im-partnering-with-nord-as-a-strate...</a><p>[2] <a href="https://www.troyhunt.com/have-i-been-pwned-is-now-partnering-with-1password/" rel="nofollow">https://www.troyhunt.com/have-i-been-pwned-is-now-partnering...</a>
A password manager helps simply because it "remembers" exactly what sites you've been to in the past and if you go to a different site with a same looking url it won't auto-fill.<p>Well, your browser also has a history of all the sites you've been to in the past, and people tend not to go to a lot of random sites. It would be pretty simple to display something when you go to a site you've never been to before. Just an unobtrusive, but not too unobtrusive, "this is your first visit to this site.". So when you see that on googie.com you might double check where you are. If the site url is similar to one you've been to in the past it could even say "Did you mean to go to one of these sites with similar looking names?...."<p>I'm not sure what the deal is with shilling for a vpn, or how that helps. It doesn't.
The issue with solving this problem is the incentives are mostly "how can we get Google/Apple/Microsoft/Facebook users to not get phished" since they are the strongest voices in the room when this kind of thing happens, but then half the time we get solutions like "what if we pre-registered a list of 'popular' companies and flagged everything else" which of course hurts everyone that doesn't make the list. And the other half of the time you get "what if we kept a 'bad list' of websites people should't go to" and you have the constant issue of scammers staying one step ahead of these things and/or benign websites being flagged. There still doesn't seem to be a good way to have people associate their identity with a domain on the web.
Why must there be exactly one solution that solves everything? We don't expect that anywhere else in life.<p>Obviously it's best if there was a simple automated solution that worked in all cases, but there is no such thing. Password managers are great, but they don't counter disinformation from sites you don't have a password with. Preventing access to malicious sites only works if it's known to be malicious; new sites will always slip through (and attackers can keep creating new sites), false positives are a problem, and not everyone can afford them. Reputation systems can be gamed.<p>In many cases you try to make it so that an attacker has to pass multiple barriers, instead of pinning your hopes on a single perfect solution. Usually there isn't one.<p>So yes, DO display the URL; use fonts, lowercased domains, colorize each character by Unicode region, or whatever you have to do to help users detect when there could be a problem. Then let users check. Some URLs will slip through, but I'll note that a LOT of people picked up the "googIe.com" in the survey - it wasn't randomly distributed.<p>DO use a password manager. That will dramatically help if you've previously logged into that site.<p>I'm less excited about filtering domains, especially because some implementations are privacy disasters. But if done in a privacy-respecting way, I can see some value. But only SOME value - they are NOT a panacea. And many will not use them.<p>The goal isn't to find the one true answer; the goal is to make it unlikely for an exploit attempt to work. If you CAN come up with a perfect automated defense that's affordable, great, do that. In most circumstances you need multiple defensive mechanisms so that the attacker has to overcome multiple very different barriers.
For firefox, you can disable IDN in the urlbar with:<p><pre><code> user_pref("network.IDN_show_punycode", true);
</code></pre>
in your user.js. Then all URLs will appear in their punycode form, eg apple.com with the cyrillic glyphs will show as:<p><pre><code> https://www.xn--80ak6aa92e.com/
</code></pre>
Is this good enough? Probably not in general.<p>- It relies on you to notice the URL bar after you've clicked a link. Worse, it relies on you to notice the URL bar after you've clicked a link <i>and</i> after the website has begun loading long enough so that firefox changes the URL to the target.<p>- If you're someone who does actually visit websites with punycoded domains regularly, then this conversely makes it harder for you to know you're on the right domain.<p>- Even if you notice the URL is wrong, you've already started loading the page. Best case your IP is now known to that server. Worst case it had a malicious payload for your browser / OS / hardware and your content blocker wasn't configured / able to block it.<p>It's good enough for me, at any rate.
It's a hard problem, but I don't think there's any solution that doesn't make the web measurably worse.<p>We have consolidation and the exclusion of bit players and new entrants in real life already, and I don't like it. Now we're talking about solving these problems on the internet in a way that seems like it will lead to the same place.<p>I definitely don't want Google to solve this problem for me. Then again, I don't use their search engine nor primarily their browser, so then we end up with "solutions" that are very unevenly distributed.<p>The root issue is that the internet is a very hostile environment, and trying to make it safe seems like a losing cause, a denial of reality.
A browser-based password manager mostly solves the confusables problem. If your password manager matches by domain name, and someone tries to phish you, it will immediately clue you in that something's not right.<p>Unfortunately this doesn't solve the problem in general, because most people don't use password managers.
Can anyone tell me why 1Password is specifically suggested over, say, literally any other password manager?<p>Why is 1Password better than your browser’s own, free, preconfigured manager?
This is one of the reasons why I think it was a mistake for the web browsers to de-emphasize EV certificates.<p>Precisely because they are expensive and difficult to get automatically, they can be a an extra protection against phishing.<p>I fear that because of these kind of URL issues, and with the deemphasis of EV certificates which would have provided a somewhat decentralized solution, we will end up in a world where the author of the browser becomes the ultimate authority on what is a trustworthy URL. That means for most of the users, Google will be the arbiter of what is and is not a trust worthy URL.
I always wondered why don't browsers highlight the address bar with the color sourced from the domain hash? If my bank's site is always pink but after clicking a link it's suddenly teal, could it get any easier?<p>When https green shields and locks appeared at first I thought it's something like that, only to be disappointed.
This article, despite being an obvious advertisement, was informative. But I’m a bit confused about why this is considered a tricky problem, and why we need technological solutions. I’m no computer security expert, but I don’t think I will be affected. I don’t click on links in emails or (good lord) in text messages. I don’t download executables. I suppose I could end up on a counterfeit site by following a link, say, from Twitter. But I wouldn’t be following a link from Twitter to my banking site. So where is the vector? Am I being naive?
VPNs aren't a good solution<p><a href="https://gist.github.com/joepie91/5a9909939e6ce7d09e29" rel="nofollow">https://gist.github.com/joepie91/5a9909939e6ce7d09e29</a>
I wonder if one can create a browser plugin that judges the similarity of a domain to a set of well-known domains and warns the user when the URL they clicked on has a domain that is very similar but not the same? Maybe use levenshtein distance or some kind of visual similarity measurement? The downside is that it would obviously punish a legit website like googie.com but perhaps one can whitelist it if one explicitly enters the URL?
This sounds like a great example for why domain name writing order should be hierarchical. Consider:<p>com.google.accounts/612361/signin/v2/identifier?hl=en&...
com.tinyurl.amp.com.google.accounts/612361/signin/v2/identifier?hl=en&...<p>(And these days, since google have the .google TLD, they don't even need that "com.")
A solution could be displaying the credibility of the page. For example: age of URL, how many users have been using it, how reputable is the domain, and so on. Even if a bank changes their login URL, the old domain will point to it.<p>The issue with this is that it requires a crawler that determines this. In a way, the existing safe browsing mechanisms already offer the infrastructure.
For one thing, I blocked that foolish kid who tweeted that browsers should warn about "googie.com" (a term that refers to a style of architecture <a href="https://en.wikipedia.org/wiki/Googie_architecture" rel="nofollow">https://en.wikipedia.org/wiki/Googie_architecture</a> ). Knee jerk response make things worse.
I think we should have a mechanism to keep a list of "sites that need extra trust". Browser should warn about all sites whose url seems to be mimicking them.<p>These would be all the sites on which you think you need extra amount of trust. Say all sites where you do financial transactions, and ones like gmail which are used for identity verification.
> I mean what if the world was completely different to what it actually is and people understood visual security indicators?<p>The article is full of tweets by people, including Hunt himself, that use visual security indicators<p>Note: biased. Worked on a web verification startup for 4 years. Including campaigning for better indicators.
Troy's blog provides good value, the info is easy enough to understand and talks about problems that sometimes slips through the cracks. I would appreciate if he would be more succinct in his articles, but overall he's doing a pretty good job.
Any opinions on re-configuring / modifying workflows "in-flight". and configuration in general. While using JIRA as a developer is generally pleasant when workflows are well configured, configuration of JIRA as a team manager is an absolute pig.
I’m confused. I think Troy has been pretty open about his relationship with 1Password and NordVPN.<p>So, he writes an article about a service related to these companies which helps to solve a real issue.<p>So, why all the hate?
I wish DNS-level domain blocking were are more normal thing to do. So many people are using uBlock these days that blocklists shouldn't sound too advanced. Also it's free, of course.
and now if 1password would only go back to the non-cloud based SaaS subscription version and put the client side "user syncs however they want" version as a first class citizen
I don’t understand why you don’t want to blame the victim. My own father entered his bank password into a random site he received via SMS. The url wasn’t even similar.<p>The only solution to this is to tell users to look at the URL bar and make <i>that</i> work well. If they don’t, you can’t do much.
Good discussion of the issue, but Troy needs to run his blog through a grammar/diction checker.<p>Something key he alluded to but didn't get into is that browsers should remember (a hash of) your history and warn you when you visit a site (like googleblog.com) that you never visited before and isn't known to be owned by the owner of a site you have visited before.