Google desires to eliminate URLs. But first, it must demonstrate why.
Members of Google’s Chrome security team proposed, in September, to eliminate URLs as we know them. In actuality, the researchers do not advocate a change to the web’s underlying infrastructure. They do, however, want to rework how browsers communicate what website you’re viewing so that you don’t have to deal with increasingly long and incomprehensible URLs and the fraud that has developed around them. Tuesday at the Bay Area Enigma security conference, Chrome usable security lead Emily Stark will discuss Google’s initial steps toward a more robust website identity.
Stark emphasizes that Google is not attempting to create disorder by removing URLs. Instead, it aims to make it more difficult for hackers to profit from user confusion regarding the identity of a website. Currently, the endless fog of complex URLs provides attackers with cover for efficient scams. They can create a malicious link that leads victims to a phishing page despite appearing to lead to a legitimate site. Or, they can design malicious pages with URLs that resemble real ones, in the hope that victims won’t realize they’re on Google and not Google. With so many URL shenanigans to combat, the Chrome team is already working on two projects to bring clarity to users.
Stark told WIRED, “What we’re talking about is changing how site identity is presented.” “People should easily recognize the site they are on, and they should not mistakenly believe they are on another site. It should not require advanced knowledge of the internet to determine this.”
“A key challenge is to prevent legitimate domains from being flagged as suspicious,” – EMILY STARK, CHROME Google
So far, the Chrome team has focused on determining how to identify URLs that appear to deviate from standard practice. Launching in tandem with Stark’s conference presentation, TrickURI is an open-source tool that helps developers verify that their software displays URLs accurately and consistently. The objective is to provide developers with something to test against so they can determine how URLs will appear to users in various situations. Separate from TrickURI, Stark and her colleagues are also developing Chrome user alerts for potentially malicious URLs. The alerts are still undergoing internal testing, as the most difficult aspect is developing heuristics that accurately identify malicious websites while avoiding false positives.
For Google users, the Safe Browsing platform remains the first line of defense against phishing and other online scams. However, the Chrome team is investigating Safe Browsing enhancements that focus specifically on flagging dubious URLs.
“Our heuristics for detecting deceptive URLs involve comparing characters that resemble one another and domains that differ by a small number of characters,” Stark explains. “Our objective is to develop a set of heuristics that steers attackers away from extremely misleading URLs, and a key challenge is to prevent legitimate domains from being flagged as suspect. As an experiment, we are launching this warning gradually.”
Google says it has not yet rolled out the warnings to all Chrome users because the Chrome team is still refining the detection capabilities. And while URLs may not be going away any time soon, Stark emphasizes that Chrome’s presentation of URLs is being refined and more is being done to get users to focus on important parts of URLs. The greatest challenge is displaying the portions of URLs that are pertinent to a user’s security and online decision-making while filtering out all the unnecessary components that make URLs difficult to read. Sometimes, browsers must also assist users with the opposite problem, by expanding shortened or abbreviated URLs.
“The entire space is extremely difficult because URLs work so well for certain people and use cases at the moment, and many people adore them,” Stark says. “We’re excited about the progress we’ve made with our new open-source URL-display TrickURI tool and our exploratory new warnings for URLs that are easily confused.”
The Chrome security team has previously tackled internet-wide security issues, implementing fixes in Chrome and then using Google’s influence to encourage everyone to adopt the practice. Over the past five years, the strategy has been especially effective in promoting the widespread adoption of HTTPS web encryption. Critics of the strategy, however, are concerned about Chrome’s power and pervasiveness. The same influence that has been used to effect positive change may be misapplied or abused. And with something as fundamental as URLs, critics are concerned that the Chrome team may settle on website identity display strategies that benefit Chrome but not the rest of the web. Even ostensibly insignificant modifications to Chrome’s privacy and security posture can have significant effects on the web community.
In addition, a consequence of this pervasiveness is a reliance on risk-averse corporate customers. Katie Moussouris, founder of the responsible vulnerability disclosure firm Luta Security, asserts, “URLs as they currently function are frequently incapable of conveying a risk level that users can quickly identify.” “However, as enterprise adoption of Chrome increases relative to consumer adoption, the company’s ability to radically alter user interfaces and underlying security architecture will be constrained by customer pressure. Popularity carries with it not only the duty to keep people safe, but also the obligation to minimize changes in features, usability, and backward compatibility.”
If it sounds like a lot of difficult and frustrating labor, that is precisely the point. The next question will be how well the Chrome team’s new ideas perform in practice and whether or not they make the web safer.
*Correction January 29 at 21:30: The original version of this sentence stated that TrickURI uses machine learning to parse URL samples and test warnings for suspicious URLs. It has been revised to reflect that the tool evaluates whether software displays URLs consistently and accurately.