URL Reading

This is the second post about Cormac Herley’s paper called “So Long And No Thanks For The Externalities”, which highlights the cost to users of security advice.

He focusses on 3 areas of advice-giving: Password Rules, URL Reading (to avoid phishing) and Certificate Errors. This blogpost is about URL Reading.

His point is that teaching users to read URLs for protection from phishing is a lost cause. And I think he’s probably right. There is no way we can provide simple, reliable advice in this area – URL syntax is complex enough that anything simple isn’t reliable, and what’s reliable isn’t simple. We need a way to securely replace URLs with a human-readable, unambiguous, verifiable, site or business identifier. And that’s exactly what EV certificates are.

So stay tuned for tomorrow’s installment on Certificate Errors, where he has something to say about those :-)

Comments are closed.