Where Am I?
JULY 3, 2020 Take a look at the below screenshot from Safari for iOS. What website am I on? Based on the contents of the page, I’m clearly on a NYTimes property, but based on the address bar I’m clearly on google.com. If I click in the address bar I see https://www.google.com/amp/s/www.nytimes.com/2020/05/22/technology/google-antitrust.amp.html. Confused, I consult Google’s Safebrowsing FAQ: How can I tell if a page is a fake? The best thing to do is to check the page’s URL to make sure it’s actually controlled by the party it appears to be controlled by. The crucial part of the URL is the part between the http:// and the next slash (‘/’). (If there’s no slash, start at the end of the URL.) This is the part of the URL that determines site ownership. Some popular domains, for instance, are amazon, google, and ebay: http://www.amazon.com http://www.google.com http://www.ebay.com In some cases, URLs will be a bit more complex; be sure to check the name listed immediately to the left of the top level domain (.com, .net, .co.uk, etc.). For instance, http://www.google.com, http://news.google.com and http://www.google.com/firefox/ are all part of the same site. However, google.com.fraudulentdomain.com/login.html is NOT! Neither is www.g00gle.com (note that in this URL, the letter o is replaced by the number 0). and determine I’m on a https://www.google.com—but the confusion remains since this is genuinely NYTimes content and branding. This is a really dangerous pattern: Google serves NYTimes’ controlled content on a Google domain. It confuses the user whether to trust the address in URL bar or the content of the page. This confusion is precisely why phishing attempts work so well. Humans trust visual indicators a lot. Google, with the AMP Cache Project, is confusing humans more and training them to trust visual content of the page over the URL in the address bar. This surprises me since Google spends a lot of time researching visual indicators of security in the address bar (like the padlock icon). In work security trainings and guides on the Internet we are trained to look at the URL bar to help make a decision on whether to trust a site, but the Google AMP Cache requires contradictory assumptions. Comments on the post can be viewed here: https://news.ycombinator.com/item?id=23729160. » Read More
Like to keep reading?
This article first appeared on theinternetbytes.com. If you'd like to keep reading, follow the white rabbit.