Archive for the 'Google' Category

Short, Clean URIs Are More Secure

Tuesday, July 31st, 2007

There are lots of reasons to use clean, short, readable URIs. Search engines like them. People have some hope of dictating or typing them correctly. Email clients are less likely to mung or truncate them. They give people navigational cues and an extra way to navigate a website. You can even fit them on one billboard (unlike say this one).

One generally ignored advantage is security.

Many phishing, XSS, CSRF and all URI exploits rely at least in part in part on putting stuff the user does not understand in the URI.

Here are a few real URIs from popular websites all found inside a minute within 3 clicks of the home page:

Having let people get used to that sort of garbage from sites that they should be able to trust, you can’t really be surprised that normal people can’t tell the difference between an XSS attack hidden in URL encoded JavaScript and a real, valid, safe URI. Even abnormal people who can decode a few common URL encodings in their heads are not really scrolling across the hidden nine tenths of the address bar to look at that lot.

It won’t help everybody. There are always going to be people who are happy to believe that their bank sends them email from a free address like bank.of.amerika@hotmail.com, and sufficiently sophisticated social engineering is always going to work on some people, some of the time, but the sites that are particularly popular with phishing attacks are making it unnecessarily easy.

If commonly used sites had short, sensible URIs it would not take genius on the part of slightly cynical users to notice that every real bank URI they had seen in the past looked something like https://www.bankofamerica.com/myaccount/login so the 300 character monstrosity full of percent symbols and ampersands that they were being presented with is a little on the fishy side.

Now, go and tidy your room.