Explaining URLs is Surprisingly Hard
I listened to a moderately interesting Security Now episode from a couple weeks ago. The topic was explaining security best practices to non-techno people. Specifically, can you tell if a URL is safe to click on. Turns out parsing URLs is a suprisingly hard problem that nerds completely take for granted.
Try explaining the following rules about clicking links to your grandma:
- www.paypal.com (that one is good)
- www.paypal.ru (bad, see the TLD is .ru and not .com?)
- www.paypal.co.uk (good, oh yeah, .co.uk is sometimes good)
- www.paypal.com.evil.com (see the evil.com is at the end? you need to read URLs from right to left)
- www.evil.com/paypal.com (well, except in this case)
- www.paypa1.com (bad, but very hard to see)
- <a href=”evil.com”>www.paypal.com</a> (bad, can’t you see the url in the chrome when you mouseover?)
It’s so intuitive for techies to see the good and bad URLs but there’s just no simple set of rules for explaining it. I guess you could forward them the RFC…
This is a good exercise to perform once in a while. Us techies get so wrapped up in our own little world, we sometimes forget that other people might not know about stuff that we feel is simple. This is a prime example.
