TrustMe - W3C Web Security Context Wiki

Formalize the statement regarding users not relying on information within URL strings for establishing context (or security context)

Similar to the HTML page it identifies, a URL is itself content under the control of the host server. Like HTML, there are some restrictions on the overall form and syntax of the URL; however, within these bounds the content provider has significant freedom to craft a URL that communicates the content provider's message. This feature can be used to significant advantage by both legitimate content providers and phishers.

The rules governing the meaning of a URL are complex and offer many of the same opportunities for confusion that a certificate chain does. For example, the WG has previously noted that the meaning of a multi-level chain of certificates is not clear for many users. Similarly, the meaning of a multi-level domain name, such as foo.bar.baz.qux.com, is also not clear for many users. For some users, it is also not clear that although there are some restrictions on the hostname component of the URL, there are no restrictions on the content of other parts of the URL.

The URL is too complex of a protocol artifact to be directly understood by users. The WG has been considering the general principle that the browser should not ask the user to do things that the user is not capable of doing. In that same vein, I think the WG should recommend that the browser not present the page URL as if it were content that can be accurately vetted by the user. Multiple studies (Why Phishing Works) have demonstrated that even an experienced user who has been alerted to the possibility of fraud is unable to reliably perform this vetting task. The content of a URL can be just as deceptive as the content of a web page, and so is not a usable display of security context information.

The Firefox project is also independently investigating changes to the display of the URL in the browser, see: location2.