[ZeroMinx]

Disagree.

We technical people instinctively know there's a fundamental difference between those 2 domains. Normal people don't. And why should they?

We (tech people) have to get the situation to a point where we don't expect normal people to have to know all these silly details.

I'm not doing anything to help achieve this, I'm hoping other people are :)

[Karunamon]

I really, truly don't see how this is a "silly detail" any more than ensuring the person who collects your credit card information in a retail setting, in person, actually represents the company they claim to, by looking for a uniform, nametag, or other immediately obvious information that identifies someone as working for someone else.

We've been trying to drill it into people to look for the lock icon before entering anything personal for decades and it's kinda starting to stick.

Is it really that much more to ask that you double check to see if the URL you're putting your sensitive information on matches what it claims to be?

It's literally right there. A glance upwards. No clicks or any special arcane knowledge required.

[hnal943]

I think if a conman could get behind the counter in a retail setting, people would give their credit cards over as easily as they do online. No one is looking at the cashier to make sure that they are legitimate, and that's because they don't have to: no retail business could survive news reports of people getting scammed in this way. Honestly the same is true online. There's no expectation that if you started out on Nordstroms.com that your purchase information will be stolen by an imposter. Since Nordstrom's controls the content on that site, it's very difficult for an attack like that to occur.

[Kenji]

But people will always have to be careful about who they're negotiating with and what information they're revealing. You can't engineer that away. And it can't get much simpler than looking for a SSL lock and matching a string.

[alelefant]

You're missing the point, and you make it seem like everyone should be an expert in everything. Not everybody that uses a computer understands the thick stack of technologies at play. It may seem simple to you, but that's you.

When my car makes a noise, I take it to Don the Car Care Man because aside from replacing the battery and windshield wipers I can't do much. If they told me I needed to get part X replaced, I'd trust their input and buy part X.

When people visit eBay, there is an inherit level of trust placed in that site. It's a legitimate business used around the world. If a listing links outside of eBay and is asking for personal information, not everyone understands that such behavior is a sign of an attack.

My grandma doesn't know what a URL is. If I told her to visit my companies website, she would ask where it is in her bookmarks. Just like I would ask where part X in my car goes. To me that's a very basic question; to a car expert they might be thinking: "Good thing this guy is having us take care of the problem".

[Karunamon]

How is checking basic stuff an implication that everyone should be an expert in everything?!

Someone learned enough to start up a computer, log in, access their web browser, navigate to an online storefront, select products they want to buy, navigate through the checkout process, and enter their details to effect the purchase has already demonstrated the pattern matching skills and knowledge necessary to answer the easy question "Is the picture of the lock there?" and the slightly more involved question "Do the words up match with where the page says I am?"

I'd be willing to bet your grandma can understand "When you're shopping somewhere, make sure the lock icon is in that bar at the top of the window before you put your credit card in". This is stuff that's been drilled into people since the early 90's when eCommerce began to become a thing.

It's not arcane knowledge, hardly "expert" level, it's a basic skill that anyone who shops online should have.

The idea that we can advocate against users having that skill provides dubious benefit to systems security and a handicap to what is the weakest link in any secure process, the human element. Anything we can do to make end users more skeptical is a Good Thing.