In September last year, Chrome developers put forward a radical proposal: change the display of the URL in the browser . Some publications immediately appeared articles with panicky headlines "Google wants to kill the URL"

Theoretically, Google is beneficial for users to access all sites through a search, and not directly by URL from a browser. Probably, for this purpose in due time the address bar was combined with the search string. But until the address bar disappears completely. So far, Google is only taking the first steps, giving Chrome a little control over displaying the URL. This is done for the safety of users.

Google says the URL syntax is too difficult for a mass audience.

Complex URL syntax

"People really barely understand the URL," said Adrian Porter Felt, technical director of the Chrome team. - These addresses are hard to read and it is not clear which part of the address you need to trust. In general, in my opinion, the URL incorrectly conveys the identity of the site. And we want to move to ensure that the identity of the web was clear to all, so that people know whose website opens in the browser, and can logically reason whether you can trust him. But it means a big change in when and how Chrome shows the URL. We want to challenge the modern URL interface and challenge it by moving towards a more appropriate identity representation. ”

URL as a unique resource identifier is not going anywhere. But Google thinks that this is a machine identifier rather than a human-readable address. People find it difficult to understand the complex syntax of the URL, which is often used by attackers. They use URLs with subdomains or addresses that differ by one character, or install free HTTPS certificates to get a green icon for their phishing sites.

Phishing test

Regular users will not always quickly see the difference between domains with similar spelling, for example:

example.com/profiles/al
example.com.profiles.al
examp1e.com/profiles/al
example.co/profiles/al
и т.д.

Even in a simple phishing test from Google , not everyone will get the maximum score of 8 out of 8 points. By the way, the choice of the domain name for the test looks very ironic on the part of Google, given that this is a phishing test.

TrickURI: Heuristics for URL Filtering in the Browser

Last Tuesday, Emily Stark, head of security at the Chrome interface (usable security lead), spoke at the Enigma security conference. She told about the first steps of Google for "more reliable identification of websites."

“We’re talking about changing the way a site’s identity is represented,” said Stark. - People should easily understand which site they are on so that they cannot be misled. To understand this, a person should not have in-depth knowledge of how the Internet works. ”

In other words, the browser should turn a regular URL into something more clear and understandable. In some cases, an insignificant part of the address should be relegated to the background, while in others, the opposite should be done - reveal the shortened link and show which domain stands behind it.

Chrome team efforts are now focused on finding URLs that "deviate from standard practice." To this end, an open source tool called TrickURI has been developed . It works as a proxy and installs on a client machine with a root certificate, helping developers analyze their web application for correct, clear and understandable UR. Developers will gain an understanding of how URLs look for users in different situations.



Separate from TrickURI, a warning system is being developed for Chrome users when the URL seems potentially phishing. Unlike the existing Safe Browsing mechanism, the new system will not work on the “black list”, but on the basis of some heuristics ...

“Our heuristics for detecting misleading URLs include comparing characters that are similar to each other and domains that differ only in a small number of characters,” Stark said. - Our goal is to develop a set of heuristic methods that do not allow attackers to use misleading URLs, and the main task is not to mark legitimate domains as suspicious. That is why we are very slowly, gradually launching this system as an experiment. ”

“URLs work very well for certain people”

Denial of standard URL mapping is an ambiguous topic. Even inside Google, developers do not have a common opinion on this. Any such radical change is difficult: even refusing the green highlight of HTTPS sites was not easy: I had to negotiate a consistent policy with the developers of other browsers.



And this is not the last change Google is going to make:

“The situation is really complicated, because now URLs work very well for certain people and in certain situations, and many people love them,” says Stark.

However, for the absolute majority of ordinary people, reading and understanding URLs is not as easy as experienced users. Therefore, Google is committed to changing the URL interface: “I don’t know how it will look like yet, because at this time there is an active discussion on the team,” says Paris Tabriz, director of development at Chrome. - I know one thing: whatever we offer, it will be a controversial decision. This is one of the obstacles in working with a very old, open and widespread platform. The changes will be contradictory, whatever form they take. But it’s important to do at least something, because the URL doesn’t satisfy anyone, it’s kind of like crap [they kind of suck]. ”

Chrome monopoly

Independent experts support Google’s initiative to improve security on the Web, although they express some concerns. The problem is that today the lion’s share of browsers is based on Chromium, so that too much power was concentrated in the hands of the developers of this browser. Any action of them almost automatically becomes the standard for other browsers. Even Microsoft recently officially abandoned its own EdgeHTML engine in favor of Chromium in the desktop version of the browser.

So far only Mozilla is holding on. Regarding the decision of colleagues from Microsoft, they said the following : “Farewell, EdgeHTML. By adopting Chromium for use, Microsoft gives Google more control over online life. This may sound melodramatic, but it is not. “The browser engines — Google’s Chromium and Mozilla’s Gecko Quantum — are internal parts of the software that actually determine much of what we can do on the Internet. They define the main features: what content we as consumers can see, our safety when viewing content and how much we control websites and services. The Microsoft solution gives Google more opportunities to single-handedly decide what opportunities are available to each of us. ”

It remains only to hope that in manipulating the URLs, the Chrome developers will not abuse their power.

---