Measuring Identity Confusion with Uniform Resource Locators

Joshua Reynolds; Deepak Kumar; Zane Ma; Rohan Subramanian; Meishan Wu; Martin Shelton; Joshua Mason; Emily Stark; Michael Bailey

doi:10.1145/3313831.3376298

Measuring Identity Confusion with Uniform Resource Locators

Joshua Reynolds, Deepak Kumar, Zane Ma, Rohan Subramanian, Meishan Wu, Martin Shelton, Joshua Mason, Emily Stark, Michael Bailey

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Uniform Resource Locators (URLs) unambiguously specify host identity on the web. URLs are syntactically complex, and although software can accurately parse identity from URLs, users are frequently exposed to URLs and expected to do the same. Unfortunately, incorrect assessment of identity from a URL can expose users to attacks, such as typosquatting and phishing. Our work studies how well users can correctly determine the host identity of real URLs from common services and obfuscated "look-alike" URLs. We observe that participants employ a wide range of URL parsing strategies, and can identify real URLs 93% of time. However, only 40% of obfuscated URLs were identified correctly. These mistakes highlighted several ways in which URLs were confusing to users and why their existing URL parsing strategies fall short. We conclude with future research directions for reliably conveying website identity to users.

Original language	English (US)
Title of host publication	CHI 2020 - Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems
Publisher	Association for Computing Machinery
ISBN (Electronic)	9781450367080
DOIs	https://doi.org/10.1145/3313831.3376298
State	Published - Apr 21 2020
Event	2020 ACM CHI Conference on Human Factors in Computing Systems, CHI 2020 - Honolulu, United States Duration: Apr 25 2020 → Apr 30 2020

Publication series

Name	Conference on Human Factors in Computing Systems - Proceedings

Conference

Conference	2020 ACM CHI Conference on Human Factors in Computing Systems, CHI 2020
Country/Territory	United States
City	Honolulu
Period	4/25/20 → 4/30/20

Keywords

authentication, url readability
phishing
server identity
url
usable security

ASJC Scopus subject areas

Computer Graphics and Computer-Aided Design
Human-Computer Interaction
Software

Online availability

10.1145/3313831.3376298

Library availability

Discover UIUC Full Text

Cite this

Reynolds, J., Kumar, D., Ma, Z., Subramanian, R., Wu, M., Shelton, M., Mason, J., Stark, E., & Bailey, M. (2020). Measuring Identity Confusion with Uniform Resource Locators. In CHI 2020 - Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems Article 3376298 (Conference on Human Factors in Computing Systems - Proceedings). Association for Computing Machinery. https://doi.org/10.1145/3313831.3376298

Measuring Identity Confusion with Uniform Resource Locators. / Reynolds, Joshua; Kumar, Deepak; Ma, Zane et al.
CHI 2020 - Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems. Association for Computing Machinery, 2020. 3376298 (Conference on Human Factors in Computing Systems - Proceedings).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Reynolds, J, Kumar, D, Ma, Z, Subramanian, R, Wu, M, Shelton, M, Mason, J, Stark, E & Bailey, M 2020, Measuring Identity Confusion with Uniform Resource Locators. in CHI 2020 - Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems., 3376298, Conference on Human Factors in Computing Systems - Proceedings, Association for Computing Machinery, 2020 ACM CHI Conference on Human Factors in Computing Systems, CHI 2020, Honolulu, United States, 4/25/20. https://doi.org/10.1145/3313831.3376298

@inproceedings{9bcdc9eb66c64a12a413657e618a93e4,

title = "Measuring Identity Confusion with Uniform Resource Locators",

abstract = "Uniform Resource Locators (URLs) unambiguously specify host identity on the web. URLs are syntactically complex, and although software can accurately parse identity from URLs, users are frequently exposed to URLs and expected to do the same. Unfortunately, incorrect assessment of identity from a URL can expose users to attacks, such as typosquatting and phishing. Our work studies how well users can correctly determine the host identity of real URLs from common services and obfuscated {"}look-alike{"} URLs. We observe that participants employ a wide range of URL parsing strategies, and can identify real URLs 93% of time. However, only 40% of obfuscated URLs were identified correctly. These mistakes highlighted several ways in which URLs were confusing to users and why their existing URL parsing strategies fall short. We conclude with future research directions for reliably conveying website identity to users.",

keywords = "authentication, url readability, phishing, server identity, url, usable security",

author = "Joshua Reynolds and Deepak Kumar and Zane Ma and Rohan Subramanian and Meishan Wu and Martin Shelton and Joshua Mason and Emily Stark and Michael Bailey",

note = "Funding Information: We would like to acknowledge the contributions of our anonymous shepherds in guiding the presentation of this work, as well as our anonymous reviewers. This work was partially supported by the National Science Foundation (NSF) under grant CNS-1518741. Joshua Reynolds was partially supported by a State Farm Doctoral Fellowship. We would also like to thank Nathan Malkin. Publisher Copyright: {\textcopyright} 2020 Owner/Author.; 2020 ACM CHI Conference on Human Factors in Computing Systems, CHI 2020 ; Conference date: 25-04-2020 Through 30-04-2020",

year = "2020",

month = apr,

day = "21",

doi = "10.1145/3313831.3376298",

language = "English (US)",

series = "Conference on Human Factors in Computing Systems - Proceedings",

publisher = "Association for Computing Machinery",

booktitle = "CHI 2020 - Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems",

address = "United States",

}

TY - GEN

T1 - Measuring Identity Confusion with Uniform Resource Locators

AU - Reynolds, Joshua

AU - Kumar, Deepak

AU - Ma, Zane

AU - Subramanian, Rohan

AU - Wu, Meishan

AU - Shelton, Martin

AU - Mason, Joshua

AU - Stark, Emily

AU - Bailey, Michael

N1 - Funding Information: We would like to acknowledge the contributions of our anonymous shepherds in guiding the presentation of this work, as well as our anonymous reviewers. This work was partially supported by the National Science Foundation (NSF) under grant CNS-1518741. Joshua Reynolds was partially supported by a State Farm Doctoral Fellowship. We would also like to thank Nathan Malkin. Publisher Copyright: © 2020 Owner/Author.

PY - 2020/4/21

Y1 - 2020/4/21

N2 - Uniform Resource Locators (URLs) unambiguously specify host identity on the web. URLs are syntactically complex, and although software can accurately parse identity from URLs, users are frequently exposed to URLs and expected to do the same. Unfortunately, incorrect assessment of identity from a URL can expose users to attacks, such as typosquatting and phishing. Our work studies how well users can correctly determine the host identity of real URLs from common services and obfuscated "look-alike" URLs. We observe that participants employ a wide range of URL parsing strategies, and can identify real URLs 93% of time. However, only 40% of obfuscated URLs were identified correctly. These mistakes highlighted several ways in which URLs were confusing to users and why their existing URL parsing strategies fall short. We conclude with future research directions for reliably conveying website identity to users.

AB - Uniform Resource Locators (URLs) unambiguously specify host identity on the web. URLs are syntactically complex, and although software can accurately parse identity from URLs, users are frequently exposed to URLs and expected to do the same. Unfortunately, incorrect assessment of identity from a URL can expose users to attacks, such as typosquatting and phishing. Our work studies how well users can correctly determine the host identity of real URLs from common services and obfuscated "look-alike" URLs. We observe that participants employ a wide range of URL parsing strategies, and can identify real URLs 93% of time. However, only 40% of obfuscated URLs were identified correctly. These mistakes highlighted several ways in which URLs were confusing to users and why their existing URL parsing strategies fall short. We conclude with future research directions for reliably conveying website identity to users.

KW - authentication, url readability

KW - phishing

KW - server identity

KW - url

KW - usable security

UR - http://www.scopus.com/inward/record.url?scp=85091274261&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85091274261&partnerID=8YFLogxK

U2 - 10.1145/3313831.3376298

DO - 10.1145/3313831.3376298

M3 - Conference contribution

AN - SCOPUS:85091274261

T3 - Conference on Human Factors in Computing Systems - Proceedings

BT - CHI 2020 - Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems

PB - Association for Computing Machinery

T2 - 2020 ACM CHI Conference on Human Factors in Computing Systems, CHI 2020

Y2 - 25 April 2020 through 30 April 2020

ER -

Measuring Identity Confusion with Uniform Resource Locators

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this