Google to trial drastically truncated URLs in Chrome in anti-phishing move


Google will run a trial with Chrome 86, the browser set to release in October, that will hide much of a site’s URL as a way to foil phishing attacks.

“We’re … going to experiment with how URLs are shown in the address bar on desktop platforms,” Emily Stark, Eric Mill and Shweta Panditrao, all members of Chrome’s security team, wrote in an Aug. 12 post to a company blog. “Our goal is to understand — through real-world usage — whether showing URLs this way helps users realize they’re visiting a malicious website, and protects them from phishing and social engineering attacks.”

The test will roll out in Chrome 86 – currently slated to ship Oct. 6 – with participants chosen randomly. Stark, Mill and Panditrao did not specify the number of Chrome users, or even a percentage of the browser’s total, who will see the address bar pilot. Enterprise-enrolled devices won’t be included in this Chrome 86 experiment, they added.

Rather than display the entire URL in Chrome’s address bar, the trial will instead condense it to what Google called the “registrable domain,” which it explained means (the “most significant” part of the domain name). If the full URL for, say, a Computerworld article is https://www.computerworld.com/article/3571442/microsoft-sets-new-support-deadlines-for-ie11-and-edge.html, then the registrable domain would be computerworld.com.

Showing only the domain, the three Google engineers argued, might make it easier for users – those who look at the address bar, anyway (not everyone does) – to ensure they were at the right place, not at a malicious site they’d been tricked into visiting. “There are myriad ways that attackers can manipulate URLs to confuse users about a website’s identity,” Stark, Mill and Panditrao said. “(That) leads to rampant phishing, social engineering and scams.”

(The trio cited a 2020 research paper – “Measuring Identity Confusion with Uniform Resource Locators” – to make their case. Of the nine who wrote the paper, two were from Google; the remaining were from the University of Illinois at Urbana-Champaign.)

Copyright © 2020 IDG Communications, Inc.



techworld