RandyWalker linked me to the entry Google is the new http:// in #wordpress earlier, and I shortly thereafter commented over on Alex King’s blog about OpenDNS’s typo-search feature. You know the one - if you type in a domain that doesn’t exist, rather than giving you the default “Couldn’t find that server” message, you get redirected to a Google-powered search results page instead (containing ads).

In short, the conversation was about people utilizing a browser’s auto-correct feature for a domain, rather than typing in the full address themselves. This can vary from simply typing “google” instead of “google.com” to typo’ing it “goggle.com”. If you’re presented with a clear “the server was not found” message, it’s pretty obvious that you did something wrong.

Instead, the OpenDNS method of redirecting you to search results for that term (or the laziness equivalent of people simply relying on Google’s results to get them to their destination more quickly) leaves open what I consider a security vulnerability.

You see, banks frequently encourage you to go to your browser and type in their address directly, rather than clicking through any links you find in an email. This is to help avoid people getting caught into phishing traps that disguise links in false emails as legitimate links.

Imagine, if you will, a world in which everyone utilized OpenDNS, or simply lets Google direct them where to go by omitting the “.com”1, and relies upon the search results they’re presented with to get to their destination. What if some clever phisher is able to successfully game the system and get a top result (or even the top result) for something like… “Bank of America”?

Now we’ve got legitimate sources (OpenDNS and Google) handing out links people assume are totally trustworthy to a site ranking highly for “Bank of America” that is not in fact a legitimate bank website. Can you imagine the millions of idiots that would blindly type their login credentials into this website, simply because they got to it from Google and it looked like the Bank of America website?

I say we start encouraging users to deliberately take the time to type the full address into the address bar. Stop allowing them to be lazy and utilize search engine results to get to their destination because they don’t want to add the additional 4 characters at the end of the URL.

  1. or other TLD - .net, .org, .whatever 
Originally published and updated .
comments powered by Disqus