"It's great for security, therefore we should do it."
One of the most secure places to live in is a prison. Is that really the direction we want software to go in? I can't help but be reminded of that infamous quote: "Those who give up freedom for security deserve neither."
As for this hiding of the URL, I'm not so convinced it'll help the situation any better. From the article itself: "To the average user, the URL is noise." In other words, if you assume that they already can't understand URLs/aren't bothering to, then what's to say they'd be able to notice the difference between a real URL and a phishing URL in those examples? To this average user, one is shorter, the other is a bit little longer. "The page looks real, that bunch of stuff up there I don't normally pay attention to anyway, so I wouldn't mind if it changed length." The one with the EV cert vs regular HTTPS is more obvious to me too since it's a different colour, but once again if you "assume illiteracy", anything could happen.
The other aspect of this is that it's only protecting "cross-domain" phishing; this is probably the majority of cases, but consider the situation where the real login page is at somehost.com/site1 while someone is trying to phish and creates another account at somehost.com/site2 . Now hiding the path to "prevent phishing" has the completely opposite effect! You could argue that this is an edge case, but it still seems to be an awfully discriminatory practice to me; I personally have password-protected accounts on various servers where the login is located at somehost.com/~myusername , and a phisherman with somehost.com/~otheruser could do this quite easily with hidden URL paths.
The real solution to preventing phishing? Education. Educate the users. Empower them with the knowledge to understand what URLs are and how they relate to where they are on the Internet. We should not continue to keep them ignorant, as they will become even more so, and that will have negative effects on the future of the Web and continue to propagate the notion that computers are "impossibly difficult to understand". I have worked with people who are otherwise very intelligent and sensible, but whose brains appear to completely leave their skull the moment they need to use a computer; and feel that this attitude may be partly responsible for that.
One of the most secure places to live in is a prison. Is that really the direction we want software to go in? I can't help but be reminded of that infamous quote: "Those who give up freedom for security deserve neither."
As for this hiding of the URL, I'm not so convinced it'll help the situation any better. From the article itself: "To the average user, the URL is noise." In other words, if you assume that they already can't understand URLs/aren't bothering to, then what's to say they'd be able to notice the difference between a real URL and a phishing URL in those examples? To this average user, one is shorter, the other is a bit little longer. "The page looks real, that bunch of stuff up there I don't normally pay attention to anyway, so I wouldn't mind if it changed length." The one with the EV cert vs regular HTTPS is more obvious to me too since it's a different colour, but once again if you "assume illiteracy", anything could happen.
The other aspect of this is that it's only protecting "cross-domain" phishing; this is probably the majority of cases, but consider the situation where the real login page is at somehost.com/site1 while someone is trying to phish and creates another account at somehost.com/site2 . Now hiding the path to "prevent phishing" has the completely opposite effect! You could argue that this is an edge case, but it still seems to be an awfully discriminatory practice to me; I personally have password-protected accounts on various servers where the login is located at somehost.com/~myusername , and a phisherman with somehost.com/~otheruser could do this quite easily with hidden URL paths.
The real solution to preventing phishing? Education. Educate the users. Empower them with the knowledge to understand what URLs are and how they relate to where they are on the Internet. We should not continue to keep them ignorant, as they will become even more so, and that will have negative effects on the future of the Web and continue to propagate the notion that computers are "impossibly difficult to understand". I have worked with people who are otherwise very intelligent and sensible, but whose brains appear to completely leave their skull the moment they need to use a computer; and feel that this attitude may be partly responsible for that.