Google Research

Measuring Identity Confusion with Uniform Resource Locators

  • Joshua Reynolds
  • Deepak Kumar
  • Zane Ma
  • Rohan Subramanian
  • Meishan Wu
  • Martin Shelton
  • Joshua Mason
  • Emily Margarete Stark
  • Michael Bailey
CHI 2020 (2020)

Abstract

Despite many successes in combating web identity theft and website impersonation, websites with fraudulent identities continue to harm Internet users. Only the fully qualified domain name in the URL gives users the unfalsifiable identity information they need to make a trust decision. Unfortunately, URLs are complex and users must decide whether to follow them from within browsers, messaging applications, email clients, text message clients, and more. While users are confident in their ability to learn website identity from URLs, we show they are vulnerable to various identity obfuscation techniques—successfully identifying an average of 58% of URLs in our sample set. Incorrect user heuristics and strategies include scanning for familiar names, trusting all https links, and trusting the word “secure”. Based on these findings, we provide recommendations to better bridge the gap between raw URL strings and users.

Learn more about how we do research

We maintain a portfolio of research projects, providing individuals and teams the freedom to emphasize specific types of work