Measuring Identity Confusion with Uniform Resource Locators
Abstract
Despite many successes in combating web identity theft and website impersonation, websites with fraudulent identities continue to harm Internet users. Only the fully qualified domain name in the URL gives users the unfalsifiable identity information they need to make a trust decision. Unfortunately, URLs are complex and users must decide whether to follow them from within browsers, messaging applications, email clients, text message clients, and more. While users are confident in their ability to learn website identity from URLs, we show they are vulnerable to various identity obfuscation techniques—successfully identifying an average of 58% of URLs in our sample set. Incorrect user heuristics and strategies include scanning for familiar names, trusting all https links, and trusting the word “secure”. Based on these findings, we provide recommendations to better bridge the gap between raw URL strings and users.
