USPS.gov redirecting to USPS.com certainly doesn't help matters.
Things like this should use one of the few TLDs that actually has policies and procedures in place; then it's a simple "if it's not .gov, it's not real."
You're right that it doesn't help, but looking at regular non-technical people like my retired parents for example, I really wonder if it's a realistic expectation that people know what the important part of a URL are.
They need to parse slashes, dots, colons and ats (remember URLs can contain credentials, even though I believe browser issue warnings these days), identifiy the TLD and the domain and then know what is legit and what isn't. And know that things like onmicrosoft.com is legit while atmicrosoft.com is probably not. Or whatever link shortener some legit organizations are using.
The root of all these things is companies, banks, and governments offloading the responsibility of security on to the worst possible person - the end user.
"Identify theft" should simply not be a thing at all - it's fraud against the bank and the person's whose "identity" was stolen shouldn't be involved. Combined with simple fraud chargebacks that make the bank accountable if they can't make their (fraudulent) customer accountable would reduce much of it.
The Internet has been around long enough at this point. Maybe your parents might never be able to read a URL and there will always be people who get scammed.
But we should be taking the obvious steps like enforcing government domains on .gov . Attacks and scams are getting more sophisticated, so I hope when I'm elderly I can atleast check the .gov portion and know it's an actual government website.
It's not just the elderly generation though. Young people mostly use apps and might barely interact with an actual browser. Big browsers de-emphasize the URL bar more and more. Yes, you and I and probably everyone on HN will never have a problem with this, but significant portions of the population will. I think it's a hard problem.
For .gov, gov.uk, etc. specifically, it's not that hard of a problem. You can't sign up for those TLDs if you're not a government, so browsers could decorate the URL bar for them. Then you just need to teach people e.g. that the URL bar should turn green whenever interacting with any government, and governments at all levels should use these restricted domains.
You could do a similar thing with banks. Require them to use a .bank TLD (or .bank.us, .bank.uk, etc.), only let actual, regulated banks register them, and give them special decorations. Use eminent domain if those domains are already taken.
Unlike EV cert validation, it would actually mean something if you restricted decorations to specific known regulated groups.
Just to be clear, the two options in this false equivalence are "no fake USPS app has ever been seen, though it is possible in theory" vs "scam websites see as much traffic as USPS itself".
That's like suggesting people don't need to know what the zip code is because it's often redundant and omitted. People are often lazy, but it's immediately obvious to anyone that omitting the full 9-digit zip code could result in the letter being misdelivered, even if I don't understand what the last 4 digits are even for.
I'm 38, live in the SF Bay area, and have never given anyone more than the first 5 digits in my life. Online some might auto correct, but I've never learned them in my life and never even considered I should.
The Zip+4 last four digits align to delivery zones. It can be trivially constructed from the complete address now that we have reliable digital mapping systems, and in fact this is what happens internally in the postal system.
It is not required and will likely never be required to provide a 9 digit ZIP for reliable delivery. It may, and does sometimes, impact speed of delivery due to sorting/distribution rounds.
> It is not required and will likely never be required to provide a 9 digit ZIP for reliable delivery.
That depends on who you are.
If you are a regular person, then yes, 5 digits is sufficient. But if you are a sender of presorted commercial bulk mail (which is discounted from first class), you may actually be required to provide a 5 + 4 + 2 = 11 digit ZIP.
That little barcode the post office prints on your letters is actually just the 11 digit zip. The final two digits are the last two digits of the house number. So "123 Any Street, Anytown FL, 45678" the final two digits of the zip would be 23.
It's honestly not that obvious. I never knew there's a difference between the 5-digit and 9-digit versions of my zip code. Most checkout flows do not even allow me to input more than 5 digits in the first place. But upon receiving my mail, the 5-digit code is always corrected to the 9-digit one.
I had never considered that if there were multiple 9-digit expansions of a 5-digit zip code, the correction might turn out wrong unless the full 9-digit code is specified.
Browsers have gotten better at highlighting the important part. On this URL Firefox highlights the "ycombinator.com" part of the URL (by writing the rest in muted gray), and edge at least highlights "news.ycombinator.com". Chrome curiously doesn't, and neither do any of my mobile browsers
I wonder if it would have helped to sort URLs in order of importance. For example com.microsoft.login/reset-password. Then the rule is "does it start with `com.microsoft.`" It would still require people reading URLs and only work well if companies don't spray important stuff across domains (Microsoft is particularly bad here) but at least it is way better than "The stuff in front of the first slash that comes after the protocol slashes." which is pretty hard to explain to someone.
The problem is that the browser knows that myups.com is not ups.com. But it doesn't know that you don't have an account at myups.com and think you are logging into ups.com.
The best solution to this is using your browsers built-in password manager (or your favourite browser-integrated password manager) then your randomly-generated password for ups.com won't auto-fill for myups.com and you at least have to think about it and wonder why you need to fish the password out of the password manager.
This is a problem I have a REALLY hard time with when discussing with people, often about scams.
A lot of people look at scams and think "I'd never fall for that" because at face value something looks obvious and you think you can use these obvious filters. BUT in reality there's tons of fuckups like this that make the space confusing because the "red flags" just look like flags.
For example, in the scams where people fake a voice of a loved one people think they'd know. But there's bad connections and scammer makes it feel like an emergency so you'll let little weird things slip by. Or how every year or two Google changes its login page format (and currently I seem to hit two very different formats...). Or a week ago with the rabbit leak I said this was a reason not to push people to download a file[0] and people concentrated on the part of it being a zip and not that 1) you download something and 2) that zip has to be opened even if a zip alone can't do anything.
This really is one of the big dangers of enshitification. It becomes difficult to distinguish legitimate things from scams.
USPS purchased the usps.com domain a long time ago specifically so they could control it and prevent phishing. The decision to replace usps.gov with the .com domain came later, with the tenure of Trump appointee Louis DeJoy.
Right wingers believe that USPS should operate as a business, not a public service, so "rebranding" their website to be .com is definitely a part of that narrative.
This does not jibe with my recollection, which is that usps.com has always been the main site. And now, after a quick interent search, I find many references[0] that show your claim is wrong -- the use of the .com domain pre-dates DeJoy by many years, going back in fact to the days when WWW was starting to get widespread use (because .com was far better known than .gov).
No, as I and others have commented, this wasn't changed by the current Postmaster DeJoy (not ignoring all the other wonderful stuff he's changed). They've been using the dot com domain for decades at least?
I'm honestly not a fan of what Louis DeJoy has done to USPS, but I'm pretty sure they've used the dot com domain for as long as I can remember, way before DeJoy became Postmaster General....
fake news ... i love how people always blame dejoy even tho he is one of the better PMG's we've had... and then right wingers somehow enter the picture? I've been working at usps in tech for 15 years...this has nothing to do with dejoy or right wingeres and .com has existed for a very long time as the main external facing website for customers
> Right wingers believe that USPS should operate as a business, not a public service, so "rebranding" their website to be .com is definitely a part of that narrative.
Seems failing businesses is also on brand for those guys.
They need to parse slashes, dots, colons and ats (remember URLs can contain credentials, even though I believe browser issue warnings these days), identifiy the TLD and the domain and then know what is legit and what isn't. And know that things like onmicrosoft.com is legit while atmicrosoft.com is probably not. Or whatever link shortener some legit organizations are using.