“Unreadable gobbledygook” is one way to describe URLs today as we know them, and Google has been attempting to redo their look for years. In their latest move to improve how Chrome—and of course, how the company hopes other browsers would follow suit—displays the URL in its omnibox (the address bar), Google’s Chrome team has made public two projects that usher them in this direction.
First, they launched Trickuri (pronounced as “trickery”) in time for a talk they were scheduled to present at the 2019 Enigma Conference. Second, they’re working on creating warnings of potentially phishy URLs for Chrome users.
Watch out! Some trickery and phishing ahead
Trickuri is an open-source tool where developers can test whether their applications display URLs accurately and consistently in different scenarios. The new Chrome warnings, on the other hand, are still in internal testing. Emily Stark, Google Chrome’s Usability Security Lead, confesses that the challenge lies in creating heuristic rules that appropriately flag malicious URLs while avoiding false positives.
“Our heuristics for detecting misleading URLs involve comparing characters that look similar to each other and domains that vary from each other just by a small number of characters,” Stark said in an interview with WIRED. “Our goal is to develop a set of heuristics that pushes attackers away from extremely misleading URLs, and a key challenge is to avoid flagging legitimate domains as suspicious. This is why we’re launching this warning slowly, as an experiment.”
These efforts are part of the team’s current focus, which is the detection and flagging of seemingly dubious URLs.
Google Chrome’s bigger goal
The URL is used to identify entities online. It is the first place users look to assess if they are in a good place or not. But not everyone knows the components that comprise a URL, much less what they mean in the syntax. Google’s push for website owners to use HTTPS has rippled across browser developers and consequently changed user preferences to favor such sites. In effect, by pushing HTTPS, Google changed the game to give the user a generally safer online experience.
However, Google wants to go beyond this, and are set on raising user awareness of relevant parts of the URL (so they can make quick security decisions). As a result, they are refining Chrome to present these parts while keeping users’ view away from the irrelevant gibberish.
In a separate interview with WIRED, Adrienne Porter Felt, Google Chrome’s Engineering Manager, has this to say about how users perceive the URL: “People have a really hard time understanding URLs. They’re hard to read, it’s hard to know which part of them is supposed to be trusted, and in general I don’t think URLs are working as a good way to convey site identity. So we want to move toward a place where web identity is understandable by everyone—they know who they’re talking to when they’re using a website and they can reason about whether they can trust them. But this will mean big changes in how and when Chrome displays URLs. We want to challenge how URLs should be displayed and question it, as we’re figuring out the right way to convey identity.”
While these may all sound good, no one—not even Google—knows what the final, new URL will look like at this point.
A brief timeline of Google’s efforts in changing the URL
Below is a brief timeline of attempts Google has made to how Chrome displays the URL in the omnibox:
- April 2010: Google removes ‘HTTP’‘ from the address bar.
- May 2014: Google began testing a feature that is known internally as the “origin chip”, its first attempt at evolving (or “killing” the URL as we know it) the display of the URL. However, this was put on hold.
- January 2017: Google starts marking some HTTP websites as “not secure.”
- October 2017: Google starts marking HTTP websites with a search box as “not secure.”
- July 2018: Google starts marking all HTTP websites as “not secure.”
- September 2018: Google removes the ‘Secure’ indicator from HTTPS pages.
- September 2018: Google removes ‘www’ in URLs and the ‘m’ (which indicates that it’s a website address geared for mobile users).
- September 2018: Google removes the ‘file://’ scheme.
- September 2018: Google begins showing a red “Not secure” warning to users when they start entering data on HTTP pages
- January 2019: Google introduces Trickuri for developers
- [still unknown date]: Google will introduce new phishing warnings to Chrome users.
“…it just raises too many questions.”
With Google’s new effort, how will it affect redirection schemes? SEO? Shortened URLs?
Will this, in time, affect the behavior of new Internet users entering URLs in the address bar? For example, what if they don’t know that certain URL elements are (by default) elided but should now be typed in (such as entering ‘www’) to go to their desired destination? Will they understand the meaning of .com or .org if these elements are erased from view?
How can web developers, business owners, and consumers prepare themselves for these URL changes?
Right now, there’s more uncertainty than there are answers, as Google admits there is still a lot of work to be done. And based on the tone of several spokespersons in interviews, the company also expects some pushback and a degree of controversy that may arise from their efforts. Change is never easy.
Let’s keep an eye on this URLephant in the room, shall we? And let’s also keep giving feedback and raising questions. After all, this is Google’s way of keeping Chrome users away from URL-based threats. If changes are not implemented with thoughtful precision, then threat actors can easily find a way around them, or at least bank on the confusion resulting from a poor rollout of new processes.
While the future of URLs is still murky, one thing’s for certain: the bad guys know how to exploit weaknesses. So we hope, for Google and all its users’ sake, changes in URL display only serve to strengthen everyone’s security posture online.