URLs
By Martin Edwards
You might not know it’s called a URL, but you’ve probably seen one:
https://en.wikipedia.org/wiki/Hamster
A uniform resource locator (URL) can identify:
- A website.
- A specific page or action within a website.
Checking the URL is the best way to tell whether a website is genuine. It’s usually shown at
the top of your browser — can you see martinedwards.co.uk if you look up there now?
Part 1: https
The first part is either http or https followed by a colon and two slashes:
https://en.wikipedia.org/wiki/Hamster
https means your interaction with the site is protected against eavesdropping or interference
by your Internet provider, employer, government — or just someone else on the cafe Wi‑Fi.
Most sites now use https, so your browser may no longer show this bit. Instead, a secure
connection will be indicated simply by a padlock, while plain old http will carry a warning like
Not Secure.
But the padlock has nothing to do with whether a site is genuine. A bogus site can just as
easily use https. It’s no consolation knowing your conversation is private if the person you’re
talking to isn’t who you think they are!
Part 2: the domain name
This is the important bit. The domain name continues until either a
slash / or the end of the URL, whichever comes first. In our example, it’s en.wikipedia.org:
en.wikipedia.org/wiki/Hamster
Computers actually read domain names from right to left, separating them at the dots. Usually
the rightmost part, or two, indicates a country or type of organisation. These are called
top-level domains. For example:
- co.uk (UK, commercial)
- org (non-profit organisation)
- fr (France)
The next part to the left is typically the name of the organisation:
Note: There are exceptions, like diy.com for do-it-yourself retailer B&Q.
Combining these parts, we have fully qualified domain names:
- amazon.co.uk
- unicef.org
- renault.fr
These are the best indicator of the legitimacy of a site. Remember, what matters is the
bit immediately before the first single slash or, if there is no slash, the end of the URL:
blogs.unicef.org
blogs.unicef.org/blog/ukraines-water-heroes/
Bogus domains
Fake or malicious sites might use a misspelling of a genuine domain:
- amaz0n.co.uk (number zero where a letter ‘o’ should be)
- uncief.org (two letters the wrong way round)
- renalt.fr (missing a letter)
Special cases
Thank you for reading this far. If you’ve had enough, do finish here, happy knowing you’re
equipped with the knowledge to avoid the vast majority of online scams!
For keen readers, though, it would be foolish of me not to detail five caveats that can make
it harder to interpret URLs – or harder to tell the authenticity of a site from its URL – in
certain cases.
Strange-looking but genuine subdomains
Sometimes, you’ll see subdomains like this:
secure-appldnld.apple.com/itunes12/
Is this the real Apple website? Yes! Check the rightmost part of the domain – just before the
first slash, remember – and you’ll see
it’s apple.com:
secure-appldnld.apple.com/itunes12/
Apple has simply chosen to name a server secure‑appldnld. (Can you work out the
abbreviation?)
Trick subdomains
On the other hand, a crafty bogus site might use a subdomain in this fashion:
bbc.co.uk-news-health-39217858.martinedwards.co.uk
Is this the real BBC website? No! At a glance, it looks like an article in the
News > Health section, but there’s no slash after bbc.co.uk — the domain name
continues, in this case to the end of the address. It’s an elaborate one which, if it was
real, would probably resolve to martinedwards.co.uk:
bbc.co.uk-news-health-39217858.martinedwards.co.uk
I could create a fake page there, mimicking the BBC but with a notice saying you needed to
update some software to watch a video. Of course, the ‘update’ would actually be
malware!
Redirects
A domain name that looks suspicious at first might actually redirect to a genuine site. For
example, if you’re on John Lewis’s mailing list, the emails you receive might contain links to
promotions like this:
johnlewis.us13.list-manage.com/track/click?u=eef5926
This site is genuine. The domain list-manage.com is used by MailChimp to track subscribers
clicking links, to help John Lewis (in this case) learn about its customers.
Because you can’t usually tell where a redirect will go, you need to wait until you arrive
at the destination before checking the URL in the address bar.
Shorteners
Some companies use shorteners to make URLs that are more compact
and easier to communicate. These are really just redirects, but deserve a special mention.
This one uses Twitter’s shortener to redirect to Gordon Buchanan’s documentary about wolves on
iPlayer:
t.co/Rk466PgT3r
And this one uses Microsoft’s shortener to redirect to the much longer URL of the Windows
Update Troubleshooter. It’s much more convenient for their technicians to dictate on the
phone:
aka.ms/wudiag
Trick hyperlinks
This isn’t a URL issue per se, but, a link in an email or website may be made to look like a
URL that’s different from its actual destination. Try clicking this link and see where it
takes you — it’s harmless!
https://www.bbc.co.uk
You can often reveal the true destination by hovering your mouse over it or, on a phone or
tablet, long-pressing it — pressing and holding for a second or two. But for reasons beyond
the scope of this guide, even this isn’t foolproof so – as with redirects – the lesson is to
check the address bar at the top of the browser once you arrive on the page.