Anti-Phishing Address Bar

terere

This caught my attention.

Read the points listed:

https://www.reddit.com/r/sysadmin/comments/9dcuuw/chrome_69_makes_your_organization_less_secure/

This makes sense. I just tested my iPad and this is true. Only the domain is displayed unless you click the address bar.

While Vivaldi does show correctly the green lock (please never stop doing this) and it also shows the address green on sites like PayPal (again, never stop doing this) I think this can and should be improved.

I think the whole address bar should be green like browsers did in the past. Not just one part, for sites that use those sort of certificates.

Then I also tested a long url and again its easy to trick Vivaldi users. The domain is completely gone and you can fake the domain.com in the last part by using subdomains or folders. This is such a stupid trick that malware authors use it all the time. Why not just keep showing the domain even if the URL is extremely long? Same is true for Unicode characters.

The idea to also highlight example.com in a different color or font is also useful.

With just a simple visual changes. Vivaldi could advertise over other browsers that its more secure against phishing. Think about it. Visual changes = Improving Security sounds like a deal breaker for me.

greybeard

@terere Vivaldi has an option Settings > Address Bar > Show Full Address. Also there seems to be a "Safe Browsing" internal project currently under development(?).

Catweazle

Apart I have a Linkinshorten in my bookmarks (there is an extension, but unfortunately it does not work very well in Vivaldi) Although not directly related to the subject of that thread, it can be a good security measure to show the URL behind a shortened URL, which is sometimes found
https://linkunshorten.com/
Pasting the shortened URL, this service not only shows the original URL, but also a thumbnail of the associated page

A good extension is Dr.Web Anti-Virus Link Checker. It allows to scan a suspicious link from the context menu

LonM

Showing only the domain could be a very good step forward.

However, I disagree about the "green security indicators". The web is moving to be Https first. That means that instead of training users to seek out a green bar, we should be training them to avoid a red one.

To put it another way, why bother with the green bar if everything is green. It also gives a false sense of safety.

If every site on the net is Https, including phishing sites, then a user might go to a phishing site, see green and think "this must be safe".

Better would be to just use the domain, as you suggest, and not colour it at all, to force users to look at the domain to decide if a site is safe. I suppose it would be worthwhile using some kind of domain based trust filter, but ones I've come across in the past are rather sub standard.

You could argue for a special case for ev certificates, but I'm not convinced of the value of them for general users anyway.

terere

@greybeard said in Anti-Phishing Address Bar:

@terere Vivaldi has an option Settings > Address Bar > Show Full Address. Also there seems to be a "Safe Browsing" internal project currently under development(?).

That has nothing to do with this. Show Full Address just shows the protocol or hides it, nothing more. You can still fake the URL with massive characters regardless of that.

terere

@lonm said in Anti-Phishing Address Bar:

Showing only the domain could be a very good step forward.

However, I disagree about the "green security indicators". The web is moving to be Https first. That means that instead of training users to seek out a green bar, we should be training them to avoid a red one.

To put it another way, why bother with the green bar if everything is green. It also gives a false sense of safety.

If every site on the net is Https, including phishing sites, then a user might go to a phishing site, see green and think "this must be safe".

Better would be to just use the domain, as you suggest, and not colour it at all, to force users to look at the domain to decide if a site is safe. I suppose it would be worthwhile using some kind of domain based trust filter, but ones I've come across in the past are rather sub standard.

You could argue for a special case for ev certificates, but I'm not convinced of the value of them for general users anyway.

Yes, I'm also inclined to this. Just like Safari does it. It just shows the domain and nothing more. If you want the whole URL just click it.

terere

I think some people are confused what I mean with long URL or fake URL so I just created one. Its actually far harder than some people think to spot what the real domain is:

https://http.www.http.web.http.http.http.httptoday.system.banking.online.to.com/chaseonline.chase.com/

Try to guess the real domain.

Then you can make variants that are so long, the real domain is not even visible in the URL address bar anymore in order to hide the real destination. Since people only spot a URL for one second or two, its extremely easy for them to just proceed as it takes some mental effort to spot the trick.

iAN CooG

@terere said in Anti-Phishing Address Bar:

Show Full Address just shows the protocol or hides it, nothing more.

it also hides the parameters after the base address, for example all the search parameters after doing a google search.

Catweazle

The Shodan extension shows full info of the site, IP, owner, city, open ports,etc

LonM

In some cases it might not be necessary to hide all the domains. For example, "forum.vivaldi.net".

But you could use a heuristic so that if the domain was very long, or longer than the address bar, maybe you could hide it in those specific instances to only show the domain+tld.

That might be a good middle ground to "ease" users into the concept of focusing more on looking at the actual domain.

terere

@lonm said in Anti-Phishing Address Bar:

In some cases it might not be necessary to hide all the domains. For example, "forum.vivaldi.net".

But you could use a heuristic so that if the domain was very long, or longer than the address bar, maybe you could hide it in those specific instances to only show the domain+tld.

That might be a good middle ground to "ease" users into the concept of focusing more on looking at the actual domain.

Yes, that could also work. Maybe also the subdomain but nothing further as then you are just starting to get into the same problems as showing the full URL. The deeper you go the easier it is to trick someone.

Nested subdomains should definitely not show like:
www.subdomain.example.com

I'm not sure if subdomains like:
subdomain.example.com

Still poses some risk because you need to take into account ccTLD like:
subdomain.example.com.uk

Its not hard to do this, the regex basically checks the valid allowed extensions so it detects .com.uk is a TLD or in that case a ccTLD. One level down is just the domain and another one a subdomain. Anything else is discarded. I assume Vivaldi already has a list of the valid extensions which its checking. Most browsers do which they download every day. So in that case it should not be a problem as long as you cannot trick the browser. How robust this anti-phishing approach is depends on how good or bad the browser is detecting things without being tricked.

If a user clicks on the address bar or maybe even hoovers with the mouse, it then displays the full URL in case you need to copy, edit or see it. For normal human beings that usually never do this, they would just see the domain and nothing more making browsing extremely safe and secure with Vivaldi against phishing schemes.

I would add that subdomains should still be highlighted in the following form, making the domain bold or maybe a different color. Just to make it more secure in a visual way and it would also be appealing for those that want to showcase the sub domain as the address to go.

For example:
subdomain.example.com

Or
subdomain.example.com.uk

terere

@ian-coog said in Anti-Phishing Address Bar:

@terere said in Anti-Phishing Address Bar:

Show Full Address just shows the protocol or hides it, nothing more.

it also hides the parameters after the base address, for example all the search parameters after doing a google search.

That is not enough. If you check the example I did before, I never used parameters. You can make fake URL's very hard to spot with just nested subdomains and folders alone. That is still displayed on Vivaldi with the setting unmarked so hence the phishing works exactly as designed.

terere

Vivaldi has a real opportunity here to innovate in a big way with such a simple design change.

For example. Something like this would not work anymore?

https://twitter.com/musalbas/status/1038919152826757122

Why? Because the full domain would be shown instead of the full URL. This is exactly the sort of thing the URL address bar can prevent with this. Vivaldi can then advertise as a feature the new anti phishing address bar.