Emily Stark, Google
In a security professional’s ideal world, every web user would carefully inspect their browser’s URL bar on every page they visit, verifying that they are accessing the site they intend to be accessing. In reality, many users rarely notice the URL bar and don’t know how to interpret the URL to verify a website’s identity. An evil URL may even be carefully designed to be indistinguishable from a legitimate one, such that even an expert couldn’t tell the difference! In this talk, I’ll discuss the URLephant in the room: the fact that the web security model rests on users noticing and understanding URLs as indicators of website identities, but they don’t actually work very well for that purpose. I’ll discuss how the Chrome usable security team measures whether an indicator of website identity is working, and when the security community should consider breaking some rules of usable security in search of better solutions. Finally, I’ll share some thoughts on the big question: is it time to give up entirely on URLs as a user-facing security mechanism?
Emily Stark leads the Google Chrome usable security team, which is responsible for helping users and developers make safe decisions on the web. Her work includes promoting HTTPS adoption, making HTTPS more usable and secure, and improving many of Chrome's user-facing security and privacy features, from warnings to DevTools to URL display. She holds degrees in computer science from Stanford University and MIT.