Using Web Addresses to Stay Safe

A Uniform Resource Locator — better known as a URL — may sound like a complicated thing. But fret not: it’s simply the web address you type into your browser to get to a particular web page or web application.

When you enter a URL, the website is fetched from its hosting server somewhere in the world, transported over miles of cables to your local Internet connection, and finally displayed by the browser on your computer.

Here are a few examples of a URL:

…to get to the news website for the British Broadcasting Corporation (“.co.uk” indicates registration in the United Kingdom)

…to get to the search engine Google

…to get to the website for Museo Nacional Del Prado, the Madrid-based art museum. (“.es” indicates registration in Spain)

…to get to the online banking website for Bank of America (“https://” indicates an encrypted connection)

It’s easy to take URLs for granted, since we type them into our browsers every day. But understanding the parts of a URL can help guard against phishing scams or security attacks.

Let’s look at what’s in a URL in this example:

The first part of a URL is called the scheme. In the example above, HTTP is the scheme and shorthand for HyperText Transfer Protocol.

Next, “www.google.com” is the name of the host where the website resides. When any person or company creates a new web site, they register this hostname for themselves. Only they may use it. This is important, as we’ll see in a moment.

A URL may have an additional path after the hostname, which sends you to a specific page on that host — like jumping right to a chapter or page in a book. Back to our example, the path tells the host server that you want to see the maps web application at www.google.com. (In other words, Google Maps.) Sometimes that path is moved to the front of the hostname as a subdomain, such as “maps.google.com”, or “news.google.com” for Google News.

Now let’s talk safety. One way to check if you’re surfing right into a phishing scam or an impostor website is by looking carefully at the URL in your browser’s address bar. Pay particular attention to the hostname — remember, only the legitimate owner of that hostname can use it.

For example, if you click on a link and expect to be directed to the Bank of America website:

LEGITIMATE:

  • www.bankofamerica.com is a legitimate URL, since the hostname is correct.
  • www.bankofamerica.com/smallbusiness is also a legitimate URL since the hostname is correct. The path of the URL points to a sub-page on small business.

SUSPICIOUS:

  • bankofamerica.xyz.com is not Bank of America’s website. Instead, “bankofamerica” is a subdomain of the website xyz.com.
  • www.xyz.com/bankofamerica is still not Bank of America’s website. Instead, “bankofamerica” is a path within www.xyz.com.

If you’re using a banking website or conducting an online transaction with sensitive information such as your password or account number, check the address bar first! Make sure that the scheme is “https://” and there’s a padlock icon in your browser’s address bar. “https://” indicates that the data is being transported between the server and browser using a secure connection.

Through a secure connection, the full URL for Bank of America’s website should look like this: https://www.bankofamerica.com. A secure connection ensures that no one else is eavesdropping or interfering with the sensitive information that you’re sending. So “https://” is a good sign. But remember, it’s still important to make sure that you’re actually talking to a legitimate website by checking the hostname of a URL. (It would defeat the purpose to have a secure connection to a bogus website!)

In the next chapter, we’ll look at how a typed URL into the browser’s address bar takes you to the right web page.

Be the first to comment

Leave a Reply