[mr_mitm]

You're right that it doesn't help, but looking at regular non-technical people like my retired parents for example, I really wonder if it's a realistic expectation that people know what the important part of a URL are.

They need to parse slashes, dots, colons and ats (remember URLs can contain credentials, even though I believe browser issue warnings these days), identifiy the TLD and the domain and then know what is legit and what isn't. And know that things like onmicrosoft.com is legit while atmicrosoft.com is probably not. Or whatever link shortener some legit organizations are using.

[bombcar]

The root of all these things is companies, banks, and governments offloading the responsibility of security on to the worst possible person - the end user.

"Identify theft" should simply not be a thing at all - it's fraud against the bank and the person's whose "identity" was stolen shouldn't be involved. Combined with simple fraud chargebacks that make the bank accountable if they can't make their (fraudulent) customer accountable would reduce much of it.

[Larrikin]

The Internet has been around long enough at this point. Maybe your parents might never be able to read a URL and there will always be people who get scammed.

But we should be taking the obvious steps like enforcing government domains on .gov . Attacks and scams are getting more sophisticated, so I hope when I'm elderly I can atleast check the .gov portion and know it's an actual government website.

[mr_mitm]

It's not just the elderly generation though. Young people mostly use apps and might barely interact with an actual browser. Big browsers de-emphasize the URL bar more and more. Yes, you and I and probably everyone on HN will never have a problem with this, but significant portions of the population will. I think it's a hard problem.

[ndriscoll]

For .gov, gov.uk, etc. specifically, it's not that hard of a problem. You can't sign up for those TLDs if you're not a government, so browsers could decorate the URL bar for them. Then you just need to teach people e.g. that the URL bar should turn green whenever interacting with any government, and governments at all levels should use these restricted domains.

You could do a similar thing with banks. Require them to use a .bank TLD (or .bank.us, .bank.uk, etc.), only let actual, regulated banks register them, and give them special decorations. Use eminent domain if those domains are already taken.

Unlike EV cert validation, it would actually mean something if you restricted decorations to specific known regulated groups.

[jonas21]

Isn't the simple solution to this to encourage everyone to use the USPS app (and apps for banking, etc.)? Most young people probably do this already.

[jddj]

This just moves the mimicry to the app stores. Admittedly there's some curation but it's far from perfect

[riehwvfbk]

Just to be clear, the two options in this false equivalence are "no fake USPS app has ever been seen, though it is possible in theory" vs "scam websites see as much traffic as USPS itself".

[jddj]

The first result in my region when I type usps into the google play store is a sponsored result for an app called Parcel Tracker, by internet media. The visible reviews for this app are negative citing scamminess.

If I search for whatsapp, in the sponsored section there are 10+ apps with white speech-bubble style icons on green backgrounds that aren't WhatsApp

[Cthulhu_]

That isn't actually simple though.

[lukeschlather]

That's like suggesting people don't need to know what the zip code is because it's often redundant and omitted. People are often lazy, but it's immediately obvious to anyone that omitting the full 9-digit zip code could result in the letter being misdelivered, even if I don't understand what the last 4 digits are even for.

[talldatethrow]

I'm 38, live in the SF Bay area, and have never given anyone more than the first 5 digits in my life. Online some might auto correct, but I've never learned them in my life and never even considered I should.

[tristor]

The Zip+4 last four digits align to delivery zones. It can be trivially constructed from the complete address now that we have reliable digital mapping systems, and in fact this is what happens internally in the postal system.

It is not required and will likely never be required to provide a 9 digit ZIP for reliable delivery. It may, and does sometimes, impact speed of delivery due to sorting/distribution rounds.

[labcomputer]

> It is not required and will likely never be required to provide a 9 digit ZIP for reliable delivery.

That depends on who you are.

If you are a regular person, then yes, 5 digits is sufficient. But if you are a sender of presorted commercial bulk mail (which is discounted from first class), you may actually be required to provide a 5 + 4 + 2 = 11 digit ZIP.

That little barcode the post office prints on your letters is actually just the 11 digit zip. The final two digits are the last two digits of the house number. So "123 Any Street, Anytown FL, 45678" the final two digits of the zip would be 23.

[LoganDark]

It's honestly not that obvious. I never knew there's a difference between the 5-digit and 9-digit versions of my zip code. Most checkout flows do not even allow me to input more than 5 digits in the first place. But upon receiving my mail, the 5-digit code is always corrected to the 9-digit one.

I had never considered that if there were multiple 9-digit expansions of a 5-digit zip code, the correction might turn out wrong unless the full 9-digit code is specified.

[wongarsu]

Browsers have gotten better at highlighting the important part. On this URL Firefox highlights the "ycombinator.com" part of the URL (by writing the rest in muted gray), and edge at least highlights "news.ycombinator.com". Chrome curiously doesn't, and neither do any of my mobile browsers

[kevincox]

I wonder if it would have helped to sort URLs in order of importance. For example com.microsoft.login/reset-password. Then the rule is "does it start with `com.microsoft.`" It would still require people reading URLs and only work well if companies don't spray important stuff across domains (Microsoft is particularly bad here) but at least it is way better than "The stuff in front of the first slash that comes after the protocol slashes." which is pretty hard to explain to someone.

[BobaFloutist]

If nothing else, their browser could know that.

[kevincox]

The problem is that the browser knows that myups.com is not ups.com. But it doesn't know that you don't have an account at myups.com and think you are logging into ups.com.

The best solution to this is using your browsers built-in password manager (or your favourite browser-integrated password manager) then your randomly-generated password for ups.com won't auto-fill for myups.com and you at least have to think about it and wonder why you need to fish the password out of the password manager.