Short, Clean URIs Are More Secure

There are lots of reasons to use clean, short, readable URIs. Search engines like them. People have some hope of dictating or typing them correctly. Email clients are less likely to mung or truncate them. They give people navigational cues and an extra way to navigate a website. You can even fit them on one billboard (unlike say this one).

One generally ignored advantage is security.

Many phishing, XSS, CSRF and all URI exploits rely at least in part in part on putting stuff the user does not understand in the URI.

Here are a few real URIs from popular websites all found inside a minute within 3 clicks of the home page:

Having let people get used to that sort of garbage from sites that they should be able to trust, you can’t really be surprised that normal people can’t tell the difference between an XSS attack hidden in URL encoded JavaScript and a real, valid, safe URI. Even abnormal people who can decode a few common URL encodings in their heads are not really scrolling across the hidden nine tenths of the address bar to look at that lot.

It won’t help everybody. There are always going to be people who are happy to believe that their bank sends them email from a free address like bank.of.amerika@hotmail.com, and sufficiently sophisticated social engineering is always going to work on some people, some of the time, but the sites that are particularly popular with phishing attacks are making it unnecessarily easy.

If commonly used sites had short, sensible URIs it would not take genius on the part of slightly cynical users to notice that every real bank URI they had seen in the past looked something like https://www.bankofamerica.com/myaccount/login so the 300 character monstrosity full of percent symbols and ampersands that they were being presented with is a little on the fishy side.

Now, go and tidy your room.

13 Responses to “Short, Clean URIs Are More Secure”

  1. Some Guy Ranting » Blog Archive » Following the big dogs on web application security Says:

    […] Stupidly long urls The big dogs love long complicated urls. […]

  2. pirater facebook 2013 Says:

    Greetings I am so delighted I found your weblog, I really found you by error, while I was browsing
    on Aol for something else, Anyways I am here now and would just
    like to say thank you for a fantastic post and a
    all round exciting blog (I also love the theme/design),
    I don’t have time to look over it all at
    the moment but I have saved it and also added in
    your RSS feeds, so when I have time I will be back to read much more, Please do
    keep up the excellent work.

  3. cookies by design discounts coupons Says:

    Very nice post. I just stumbled upon your weblog and wanted to say that I have truly enjoyed surfing around
    your blog posts. In any case I will be subscribing in your feed
    and I hope you write again soon!

  4. Network Marketers Wanted Says:

    Good day! This is kind of off topic but I need some advice from an established blog.
    Is it very hard to set up your own blog? I’m not very techincal but I can figure things out pretty
    fast. I’m thinking about setting up my own but
    I’m not sure where to begin. Do you have any tips or suggestions?
    Thanks

  5. cure insomnia Says:

    Wow that was unusual. I just wrote an incredibly long comment but after I clicked submit my comment didn’t show up.
    Grrrr… welll I’m not writing all that over again. Regardless, just wanted to say superb blog!

    Here is my weblog :: cure insomnia

  6. how to make money from money Says:

    What’s up everybody, here every one is sharing such familiarity, therefore it’s
    pleasant to read this weblog, and I used
    to pay a quick visit this weblog everyday.

    Feel free to surf to my blog :: how to make money from money

  7. http://www.youtube.com/ Says:

    What’s up, of course this article is in fact fastidious and I have learned
    lot of things from it on the topic of blogging. thanks.

  8. ways to improve your credit Says:

    Fantastic goods from you, man. I’ve have in mind your stuff prior
    to and you’re simply too wonderful. I actually like what you have bought here,
    certainly like what you are saying and the best way through which you are
    saying it. You are making it entertaining and you still take care of
    to stay it wise. I can’t wait to read much more
    from you. This is actually a terrific website.

    Feel free to surf to my blog: ways to improve your credit

  9. comparing plumbers Says:

    This piece of writing will assist the internet viewers for building up
    new webpage or even a weblog from start to end.

  10. Lilly Says:

    Most kids will groan at the sight of a plate of vegetables or fruit for a snack, but how
    different their reaction is when they. Grow
    your own tomatoes, lettuce, cucumbers, carrots, spinach.
    You may berate yourself because you didn’t handle the
    situations effectively.

    my web site … get back together poems, Lilly,

  11. memorias usb, power bank Says:

    This is a really good tip especially to those fresh to the blogosphere.
    Short but very accurate info… Thank you for sharing this one.
    A must read post!

  12. most prestigious Credit Cards Says:

    Stunning quest there. What occurred after? Good luck!

    Here is my web-site: most prestigious Credit Cards

  13. Blair Says:

    You can correspond with them and find out if they can ship the required model to your place.
    Course 3 ‘ This course covers elementary fire fighting
    and fire prevention. The cost may seem higher than regular villa stay or a hotel but the stay is worth it.

    My web-site … private yacht athens car rental greece [Blair]

Leave a Reply