Measuring Identity Confusion with Uniform Resource Locators

Reynolds, J. K.; Kumar, Deepak; Ma, Zane; Subramanian, Rohan; Wu, Minna; Shelton, Martin; Mason, Joshua; Stark, Emily; Bailey, Michael

doi:10.1145/3313831.3376298

Cited by 22 publications

(17 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…An attacker could use such animated URL transitions to obscure the redirections. Finally, Chrome is currently experimenting with hiding the full URL in the address bar and only showing the domain [4] as a way to combat phishing attacks [68]. If Chrome or other browsers permanently adopt this feature where only the main domain is shown by default, our attack will be completely invisible to users as it leverages redirections within the same domain.…”

Section: Discussionmentioning

confidence: 99%

Tales of Favicons and Caches: Persistent Tracking in Modern Browsers

Σολωμός¹,

Kristoff²,

Kanich³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Statement from the NDSS 2021 Program Committee: NDSS is devoted to ethical principles and encourages the research community to ensure its work protects the privacy, security, and safety of users and others involved. While the NDSS 2021 PC appreciated the technical contributions of this paper, it was the subject of a debate in our community regarding the responsible disclosure of vulnerabilities for the Firefox web browser. The PC examined and discussed the ethics concerns raised and the authors' response. Although no harm came to users, the authors' oversight could have made a non-vulnerable browser vulnerable to the attack proposed in the paper. The PC does not believe the authors acted in bad faith. Nevertheless, we decided to add this note as well as the authors' response (in an Appendix) to the paper because the NDSS PC takes both the ethics of responsible disclosure and fairness towards the authors seriously. It is the PC's view that researchers must not engage in disclosure practices that subject users to an appreciable risk of substantial harm. NDSS will work with other conferences to further improve the transparency of vulnerability disclosure to reduce such errors in the future.

show abstract

Section: Discussionmentioning

confidence: 99%

Tales of Favicons and Caches: Persistent Tracking in Modern Browsers

Σολωμός¹,

Kristoff²,

Kanich³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…For example, Albakry et al [2] found that users cannot differentiate between a company name in the subdomain vs. the domain of a URL. Similarly, Reynolds et al [69] found that users struggle to correctly parse URLs, but have high self-confidence in their ability to interpret URLs. A dangerous combination that helps attackers.…”

Section: Mouse Over the Link And Look At The Urlmentioning

confidence: 98%

“…Even skilled security experts have difficulties with this kind of deception [17,24]. For example, in socalled homograph attacks English characters are substituted with identical looking UTF8-encoded characters from different alphabets such as páypal.com and paypal.com [22,25,69]. Another example of a look alike attack is misspelling (typosquatting).…”

Section: Mouse Over the Link And Look At The Urlmentioning

confidence: 99%

“…Another example of a look alike attack is misspelling (typosquatting). A classic example is substituting characters like 'vv' for 'w' or capital 'I' for lowercase 'L' which look identical with a sans-serif font [69,76]. These two types of look alike attacks, while dangerous, are very popular and hard to detect by current industry anti-phishing tools [65,77].…”

Section: Mouse Over the Link And Look At The Urlmentioning

confidence: 99%

“…In this condition, we showed the full URL with the domain highlighted and asked participants if the URL leads to the given company name. Existing research already shows that users cannot read URLs unaided [2,4,6,69]. Domain highlighting has already been adopted by several browsers, e.g.…”

Section: Domain Highlightingmentioning

confidence: 99%

See 2 more Smart Citations

I Don’t Need an Expert! Making URL Phishing Features Human Comprehensible

Althobaiti

Meng

Vaniea

2021

Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

Judging the safety of a URL is something that even security experts struggle to do accurately without additional information. In this work, we aim to make experts' tools accessible to non-experts and assist general users in judging the safety of URLs by providing them with a usable report based on the information professionals use. We designed the report by iterating with 8 focus groups made up of end users, HCI experts, and security experts to ensure that the report was usable as well as accurately interpreted the information. We also conducted an online evaluation with 153 participants to compare different report-length options. We find that the longer comprehensive report allows users to accurately judge URL safety (93% accurate) and that summaries still provide benefit (83% accurate) compared to domain highlighting (65% accurate).

show abstract

Principles of Remote Sattestation

Syverson

2021

Protocols, Strands, and Logic

View full text Add to dashboard Cite

Measuring Identity Confusion with Uniform Resource Locators

Cited by 22 publications

References 26 publications

Tales of Favicons and Caches: Persistent Tracking in Modern Browsers

Tales of Favicons and Caches: Persistent Tracking in Modern Browsers

I Don’t Need an Expert! Making URL Phishing Features Human Comprehensible

Principles of Remote Sattestation

Contact Info

Product

Resources

About