The idea, which was first mooted in September, does not change the web's underlying infrastructure. Google intends to remove the need to use increasingly long and unintelligible URLs—and wipe out the fraud that has sprung up around them.
Chrome usable security lead Emily Stark said that it would mean a more robust website identity.
Stark said that Google isn't trying to induce chaos by eliminating URLs. Instead, it wants to make it harder for hackers to capitalise on user confusion about the identity of a website.
Currently, the endless haze of complicated URLs gives attackers cover for active scams. They can create a malicious link that seems to lead to a legitimate site, but automatically redirects victims to a phishing page. Or they can design malicious pages with URLs that look similar to real ones, hoping victims won't notice that they're on G00gle rather than Google. With so many URL shenanigans to combat, the Chrome team is already at work on two projects aimed at bringing users some clarity.
She told Wired that it is all about changing the way site identity is presented.
"People should know easily what site they’re on, and they shouldn’t be confused into thinking they’re on another site. It shouldn’t take advanced knowledge of how the internet works to figure that out. A key challenge is to avoid flagging legitimate domains as suspicious."
The Chrome team's efforts so far focus on figuring out how to detect URLs that seem to deviate in some way from standard practice. The foundation for this is an open source tool called TrickURI, launching in step with Stark's conference talk, that helps developers check that their software is displaying URLs accurately and consistently. The goal is to give developers something to test against, so they know how URLs are going to look to users in different situations. Separate from TrickURI, Stark and her colleagues are also working to create warnings for Chrome users when a URL is a phishing. The alerts are still in internal testing, because the complicated part is developing heuristics that correctly flag malicious sites without dinging legitimate ones.
For Google users, the first line of defence against phishing and other online scams is still the company's Safe Browsing platform. But the Chrome team is exploring complements to Safe Browsing that specifically focus on flagging sketchy URLs.
"Our heuristics for detecting misleading URLs involve comparing characters that look similar to each other and domains that vary from each other just by a small number of characters", Stark said. "Our goal is to develop a set of heuristics that pushes attackers away from extremely misleading URLs, and a key challenge is to avoid flagging legitimate domains as suspicious. This is why we're launching this warning slowly, as an experiment."
Google says it hasn't started rolling out the warnings to the general user population while the Chrome team refines those detection capabilities. And while URLs may not be going anywhere anytime soon, Stark said that there is more in the works on how to get users to focus on essential parts of URLs and to refine how Chrome presents them. The big challenge is showing people the elements of URLs that are relevant to their security and online decision-making, while somehow filtering out all the extra components that make URLs hard to read. Browsers also sometimes need to help users with the opposite problem, by expanding shortened or truncated URLs.
"The whole space is challenging because URLs work well for certain people and use cases right now, and lots of people love them," Stark says. "We’re excited about the progress we’ve made with our new open source URL-display TrickURI tool and our exploratory new warnings on confusable URLs."
However, critics fear that the Chrome team could land on website identity display tactics that are good for Chrome but don't benefit the rest of the web.
Developer Dave Winer, one of the creators of RSS, objects to what he views as Google imposing its will on the open web. “The fact is that they’re forcing it”, says Winer, who also wrote a detailed objection in February. “They’re just the tech industry. The web is so much bigger than the tech industry. That’s the arrogance of this.”
Winer worries that forced HTTPS adoption—and scolding sites that don’t embrace it—will penalize web developers who don’t have the wherewithal to implement it, and potentially cordon off older, passively managed corners of the internet. He also says that Google won't stop here: “Was this the only way to achieve this end? Because this is draconian. If this were done properly, it would have been deliberated, and a lot of people who aren't in the tech industry would have had a say in it.”