Anti-Phishing: Replace address bar with domain only

Wed, 14 Feb 2007 15:50:20 -0800 

beltzner wrote:

Have you seen LocationBar^2
(https://addons.mozilla.org/firefox/4014/)? I'm considering something
a lot like that for Firefox 3 ...



OK, it doesn't fit in this thread, but since you mention that, I'll just 
shortly tell you my ideas:



I still think that showing *only* the second level domain - *not* as 
part of the URL, which is technical glibberish for most people - is - 
next to bookmarks - the best approach against phishing, even though a 
dramatic change in browser UI. I *don't* think that just bolding the URL 
is enough.


I once implemented that as experiment in
https://bugzilla.mozilla.org/show_bug.cgi?id=228524
see screenshots there.


I am thinking along the lines of (slightly different from the 
screenshots above):


   * Show domain very prominently in the middle of the urlbar, so that
     even a normal user can't miss it. Not as textfield, but
     non-editable, selectable, bold label.
   * Show the EV cert holder, if available, next to the domain. No
     other special treatment of EV.
   * Keep search field
   * Remove the urlbar, to avoid clutter. Only in default config, it
     will still be available in the toolbar customization.
   * Put an "open" button to the left of the domain field. Clicking on
     it shows the current URL in a textfield (either in dialog url
     toolbar), in a way so that the user can easily either edit the URL
     or enter a new one.


There are 2 problems with that approach:

   * It will make tech guys freak out, they want to see the URL at all
     times, but they can customize their toolbar. There is no practical
     problem, because clicking on "Open" button and starting to type
     takes exactly as many clicks as clicking on urlbar and starting to
     type.
   * It will confuse people who want to go to a site by entering the
     domain. They'll probably start entering URLs in the search field,
     which is not what we want. Trying to recognize the URL/domain may
     or may not be always possible, and turns the field a dual-purpose
     field which is generally a very, very bad idea for usability and code.


--
When responding via mail, please remove the ".news" from the email address.

_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security























					Reply via email to