In September last year, Google put forth a radical idea – kill the URL. At the Bay Area Enigma Security Conference in the US, Google updated attendees on its plan to rethink how sites are identified.
While Google has no intention to change the underlying infrastructure of the web or of individual websites, the Silicon-Valley tech-giant does want to get rid of long, unintelligible URLs. Why? The company believes the controversial move will help to improve web security and reduce the prevalence of malicious online activity.
Speaking at a recent security conference, Emily Stark, the Chrome usable security lead at Google detailed the business’s first steps towards making websites’ identities more robust.
“What we’re really thinking about is changing the way site identity is presented,” she said.
To make these improvements, Google has announced two projects that could potentially usher in the new era of web identity. The first, is TrickURI and the second is a strategy for implementing warnings when Chrome users are faced with potentially phishy URLs.
Eliminating Trickery and Phishing With TrickURI
This open-source tool will reportedly allow developers to test whether applications display URLs accurately and consistently in a number of digital scenarios. TrickURI recently launched, but Stark told WIRED in an interview that the new Chrome warnings are still in testing. According to Stark, the main hurdle preventing Google from executing its new strategy right now is establishing the appropriate rules that will flag malicious URLs, while avoiding false positives.
“Our heuristics for detecting misleading URLs involve comparing characters that look similar to each other and domains that vary from each other just by a small number of characters,” she told WIRED.
Moving away from this, Google is reportedly looking to develop a set of heuristics that push attackers away from misleading URLs, without mistakenly flagging legitimate domains as suspicious. Presently, Stark says this is her team’s main focus.
“The whole space is really challenging because URLs work really well for certain people and use cases right now, and lots of people love them,” said. “We’re excited about the progress we’ve made with our new open source URL-display TrickURI tool and our exploratory new warnings on confusable URLs.”
The URL of the Future
Google has already made changes to how URLs are displayed in the search bar to improve user security. One of the most notable efforts was its work in pushing website owners to use HTTPS, rather than HTTP. This method has been around since 2010, but it was only in the last few years that sites began getting penalised for not having an appropriate SSL certificate. Additional measures, like removing the ‘www’ at the start of a web address came into place in September 2018, with the ‘m’ that used to indicate that a site was mobile also disappearing at the same time.
As far as Google is concerned, however, this is just the beginning, as it wants to raise user awareness on relevant parts of a site’s URL, to enable them to make quick security decisions and judge whether or not a site is safe.
For instance, Adrienne Porter, Google Chrome’s Engineering Manager believes everyday people don’t understand URLs and which part of them are trustworthy unless there’s a measure in place that makes the distinction between a dangerous and a secure one immediately clear. What the most appropriate way to proceed looks like is still very much in question.
“This will mean big changes in how and when Chrome displays URLs… We want to challenge how URLs should be displayed and question it, as we’re figuring out the right way to convey identity,” he said.
For the time being, Google is working on developing a more secure, easily digestible way to present a site’s identity, with its controversial move to get rid of the URL still very much in the works.