RandyWalker linked me to the entry Google is the new http:// in #wordpress earlier, and I shortly thereafter commented over on Alex King’s blog about OpenDNS’s typo-search feature. You know the one - if you type in a domain that doesn’t exist, rather than giving you the default “Couldn’t find that server” message, you get redirected to a Google-powered search results page instead (containing ads).
In short, the conversation was about people utilizing a browser’s auto-correct feature for a domain, rather than typing in the full address themselves. This can vary from simply typing “google” instead of “google.com” to typo’ing it “goggle.com”. If you’re presented with a clear “the server was not found” message, it’s pretty obvious that you did something wrong.
Instead, the OpenDNS method of redirecting you to search results for that term (or the laziness equivalent of people simply relying on Google’s results to get them to their destination more quickly) leaves open what I consider a security vulnerability.
You see, banks frequently encourage you to go to your browser and type in their address directly, rather than clicking through any links you find in an email. This is to help avoid people getting caught into phishing traps that disguise links in false emails as legitimate links.
Imagine, if you will, a world in which everyone utilized OpenDNS, or simply lets Google direct them where to go by omitting the “.com”1, and relies upon the search results they’re presented with to get to their destination. What if some clever phisher is able to successfully game the system and get a top result (or even the top result) for something like… “Bank of America”?
Now we’ve got legitimate sources (OpenDNS and Google) handing out links people assume are totally trustworthy to a site ranking highly for “Bank of America” that is not in fact a legitimate bank website. Can you imagine the millions of idiots that would blindly type their login credentials into this website, simply because they got to it from Google and it looked like the Bank of America website?
I say we start encouraging users to deliberately take the time to type the full address into the address bar. Stop allowing them to be lazy and utilize search engine results to get to their destination because they don’t want to add the additional 4 characters at the end of the URL.
- or other TLD - .net, .org, .whatever [back]
I think there’s a lot of truth in what you write and a lot that folks like us at OpenDNS can do to prevent this from occurring. There is already an implicit level of trust folks like Google and OpenDNS have and we work hard to earn and maintain that trust. Things like this are of the utmost concern to me and I’m definitely open to a discussion of what we can do with more intelligence in the DNS and on the network to remedy these kinds of hypothetical situations.
David: Thanks for commenting!
There’s certainly a very high level of trust both companies maintain in the overall populace. Unfortunately, no system is foolproof. No matter how much effort Google may put in to policing its search results, we all know there are people out there capable of gaming the system to gain an advantage. Certainly I wouldn’t expect a situation like I mention to be a long-standing problem, but it could potentially be problematic enough to be of concern.
OpenDNS’s integration with PhishTank goes a long way towards helping prevent these problems for its customers (assuming, of course, that the same tainting of the data set isn’t accomplished with PhishTank as well, which seems highly unlikely). Of course this does require that everyone use OpenDNS. I’m sure you’d love it if everyone in the world were using OpenDNS, but that’s obviously never going to be a reality, so we’re left with the same problem for the rest of the internet populace that’s still relying upon “unshielded” (as it were) Google (and other engines’) search results to locate every-day sites like MySpace, eBay, and FaceBook.
I doubt there will ever be one true solution to the problem. In the meantime, I think users should be encouraged to use search engines in the manner in which they were originally intended - to help you find obscure pieces of data. They were never intended to replace the manually-typed URL, and I think adopting such a policy in common practice is only asking for trouble, particularly since it saves you so little time and effort.
Again, thanks for commenting David! I may not regularly use OpenDNS, but I love the idea (and PhishTank too), and couldn’t live without EveryDNS!
I understand that your taking the extreme stance on OpenDNS for the sake of the argument but I think you inadvertantly brought up a great point in favor of the OpenDNS “spellchecking.” You say “Stop allowing them to be lazy and utilize search engine results to get to their destination…” I know you don’t really think this will happen but you are just getting your point across but the point it brings up is that people are lazy. They are going to [mis]use a product the easiest way they know how.
People were already using their google search bars in the way that OpenDNS does “spellcheck” so opendns mind as well try to help. I actually think I read somewhere that OpenDNS actively tracks phishers and will “spellcheck” you away from them. My point is that if your going to have people using google as a keyword program you mind as well have it trickle through your DNS first so they can catch phishers.
In a perfect world, everyone knows how computers work and why they work the way they do so we wouldn’t have idiots using the “wrong” websites. =)
Great site btw!
Luke: You’re quite right about the spellchecking. I agree that OpenDNS has a lot of very useful features (generic domain spell checking, .om -> .com redirection, phishing protection, etc.). I am actually using OpenDNS here at home currently for several of those reasons, along with some others (I find their query stats interesting, and I typo .com more often than I’d like to admit). Primarily I enjoy using OpenDNS because it is faster and all-around more reliable than any other DNS I have access to (even though BellSouth does provide significantly higher-quality DNS than other ISPs), but those extra handful of features make it just a tad more enjoyable than before.
I still say we flog users for being that lazy! It’s like a whole new low in the laziness spectrum when you’re too lazy to add “.com” to the end of your URL and rely on Google to rank the site you’re actually looking for highly enough to be of use.
Well put. I agree with that =)
Type google. Hit CTRL ENTER.
Nobody types the dot com these days.