Unbeknown to many, there was much adieu in Google's Chrome security headquarters back in September of last year. Some sweeping changes were to be made – annihilating everything that we know about URL.
The fundamental system will remain the same, however. Researchers aim to change how browsers display a website so that users need not deal with long and gibberish URLs. For the Google team responsible for this project, most unintelligent URLs are fraudulent and may have to be stopped.
Emily Stark from Chrome discussed this controversy during last year’s conference. She said that Google’s first steps in improving website identity focused on warding off hackers. This was not simply a merciless plan to kill URLs but rather a measure to increase security so that hackers will find it difficult to take advantage of website users. Especially when they’re confused about a website’s identity.
Getting Rid of Unintelligent URLs
Currently, many unintelligent URLs populating the Internet are giving cybercriminals an effective excuse for pulling off scams. It’s easy for them to create a malicious link that seemingly connects to a legitimate site. In reality, this link redirects victims to a page that phishes for private information.
Hackers can also design malicious landing pages with URLs that look real and professional. Such legit-looking pages lure victims with catchy hooks and call-to-action links or buttons they won't even notice anything suspicious. that they're on Google rather than Google. With all these downright shady shenanigans, the Chrome security team is working on two projects with the end goal of making users’ lives more peaceful and secure.
People should know, without a hint of doubt, whether they’re browsing the right website or not. Stark, who spoke on behalf of the team, said that the team is working on taking down any confusion. Users “shouldn’t be confused into thinking” they’re browsing on a different site. With the new Chrome security innovation in place, no need for advanced Internet knowledge to identify whether you’re on the right website or not.
Deviant URLs
The Chrome team are on a hunt for URLs that deviate from the rules. But how to know if web URLs are displaying accurately and consistently as per standards? In last year’s conference talk, Start recommended TrickURI – an open-source tool for detecting rogue or devious URLs.
In addition to TrickURI, the Chrome team members will also launch warnings for Chrome users every time a possibly malicious URL is detected. These alerts may be implemented in 2019 but presently are in the internal testing stage. It's challenging for team members to develop “heuristics” or shortcuts that accurately penalise malicious sites without adversely affecting legitimate ones.
Line of Defense
Chrome researchers recommend that Google users take full advantage of private browsing (also known as the Safe Browsing platform). This is their first line of defence against malicious links, scams and phishing websites. But the Chrome team is doing more to reinforce users’ current defences. They are in the midst of exploring new elements or approaches that complement Safe Browsing but can effectively flag suspicious URLs.
Stark said that the team will compare characters that look similar (e.g. two Os and two zeroes). They will also look into domain variations (e.g. web-site.com and website.com) of sites that basically sound the same. The Chrome team is in the process of developing different types of heuristics to efficiently drive attackers away and dilute any confusion between malicious and legitimate URLs or pages.
The team is going through the process slowly but surely. More experiments will be conducted to ensure maximum accuracy and effectiveness.
The Future for URLs
The general user population has yet to receive such warnings from Google For the meantime, the Chrome team is refining the browser’s malicious, phishing and scam site detection capabilities.
Though URLs are likely to continue their existence for some time now, Stark noted that the focus for users will be on important parts of URLs and to fine-tune Chrome’s presentation of such URLs.
But here’s the most challenging aspect: making users understand which parts of a URL are secure and how they should go about their online decisions. People might find it hard to disregard extra components that make URLs difficult to process.
Browsers should come to users’ rescue rather than give them more problems. Truncated URLs, should be ideally be expanded. Nevertheless, the Chrome team has expressed their excitement about their progress. They’re particularly excited for their open source TrickURI and malicious URL detection and warning features.
Moving Forward
This isn’t the first set of issues the Chrome security team has taken on. They are experts in dealing with security issues across the Internet as well as developing bug and functionality fixes for the Chrome browser.
With the super brand Google backing up their projects, it won’t be long before everyone joins the new security bandwagon. The universal adoption of HTTPS web encryption is one of the Chrome team’s milestone achievements.
In the last five years, HTTPS encryption has become the standard for professional websites and websites that want to rank well on search engines.
For all its contributions in the realm of cybersecurity, many still fear Chrome's global power and influence. Such power could be used in the wrong way to the detriment of users and competitors in the same field.
What critics fear most, however, is that the Chrome team could be using website identity features as a strategy that will only benefit Chrome but not key stakeholders. Simple changes to the Chrome browser could affect the web community – and not necessarily in a good way.
On a positive note, nothing is final as of the moment. We can all reserve our judgment until Chrome’s new browser security feature starts rolling out.
