Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I don't see the outrage here. Using heuristics to determine the likelihood of a URL being fake, sounds like a good idea as long as it's weighted against false positives.

That said, I've never understood why browsers do not highlight the hostname separately from the path. Many phishing domains are of the form: google.com.auth.something.else.realistic.looking.tk/fake-path-stuff and are so long that the user just sees google.com and moves on. Something as simple as underlining the hostname or making the path a slightly lighter hue would be a huge usability improvement in being able to stop phished hosts.



Firefox does highlight registered domain "looking.tk" in white font and the rest of the URL is colored gray ("google.com.auth.something.else.realistic.looking.tk" and path).


I've long been curious how exactly they determine the "registered domain", and your comment made me finally look for the answer. It looks like they use (and semi-manually maintain) a list of "effective TLDs": https://www.publicsuffix.org/

The maintenance process is described here: https://github.com/publicsuffix/list/wiki/Guidelines


For me it is black for the domain vs. dark grey for the rest (FF65). I actually never noticed this before, nice!


I think its dependent upon your theme. For example with a dark theme it is like so : https://i.imgur.com/bwsyhjN.png


Oh of course! Much more pronounced there.


Chrome does this as well. news.ycombinator.com is in black and the rest of the URL is more grey.


This isn't sufficient, as it highlights the sub-domain, which is the main trick scammers are using. For exmaple: http://google.com.gmail.inbox.totallynotgoogle.com




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: