URL highlighting
From MozillaWiki
This is a summary of URL highlighting in Firefox 3 discussed in mozilla.dev.apps.firefox listing pros and cons. Feel free to add things that I have missed.
This is a summary. Discussions should take place in the newsgroup.
Contents
Goals (in prioritized order)
- Add support in the location bar for complex characters
- Help users understand "where" they are on the web
- Prevent homograph-style domain spoofing attacks (ie: bankofthevvest.com)
- Prevent subdomain-style domain spoofing attacks (ie: paypal.evil.com)
- Make the location bar more functional as a navigational aid
Constraints
- can't replace URLs outright, they're too important in the way the web works
- need to support existing copy, paste, select-portion-and-modify actions
General
- con: URL highlighting adds more visual complexity, and the gain is questionable.
- pro: make the TLD+1 stand out to make it easier to spot phishing.
- con: those most vulnerable to phishing don't even look at the URL, thus making this ineffective.
- con: The TLD+1 is not trustable for identification purposes.
- con: When the TLD+1 is most trustable, the domain is already shown in the status bar
- con: The users we are trying to help propably won't understand what the new formatting is for.
- con: The more security/identity indicators we make, the more they will confuse users, and confused users are easier to attack.
- pro: removing the sheme makes the URL simpler and easier to understand.
- pro: When https is not shown, users won't be tricked into associating it with secure and they may start using the real security indicators.
- con: The sheme may be useful information for some users.
- pro: This information can be displayed elsewhere (eg www favicon for http/https, ftp favicon for ftp etc.).
Methods of highlighting TLD+1
- graying out the rest of the URL
- If the color is too light, the URL become unreadable, if the color is too dark, the the highlighting becomes invisible. When the color is medium light/dark, both apply.
- making TLD+1 fat
- draws too much attention to the URL. Some non-western characters become unreadable.
- underlining TLD+1
- Adds confusion because it looks like a link.
- using different background color
- May add too much visual disturbance. Adds confusion because it look like the text is selected.
- using different color
- Looks ugly. Bad for color blind people.
- adding spacing around TLD+1
- Makes part of the URL move on hover, cause visual disturbance. Makes it look like there actually is a space there.
Linkification of TLD+1
- Makes it hard to edit that part of the URL.
- Users may accidentally follow the link when they wanted to edit the URL.
- Link may not allways result in something meaningful.
- Almost all web sites has links to the home page in the top of the page making the link redundant.
- Tries to solve a problem that does not exist (problem: it is hard to navigate back to the home page).