Changes aimed at blocking the path to phishing
Google has launched an experiment with how URLs are shown in the address bar of its Chrome browser.
Starting with Chrome 86, which is due to roll out in October, users in an experimental group will be shown the site domain name by default, and full URL on hover.
Those who dislike this approach can opt out by selecting the ‘Always show full URLs’ option.
Only a portion of Chrome’s massive userbase will be enrolled into the experiment, which is designed to create a cleaner interface that makes it easier for users to identify the authenticity of websites, and therefore reduce the effectiveness of phishing attacks.
Spotting spoof sites
Research suggests up to 60% of web users were fooled when a misleading brand name appeared in a URL’s path.
Previous attempts by Google to redesign the URL search bar – also known as the ‘omnibox’ – of the Chromium browser have been criticised by some sections of the security community as making it more, rather than less likely that phishing attacks would slip through the net.
While some have supported the tech giant on the divisive issue, which has been raging for the last two years, the criticism was nonetheless vociferous enough for Google to delay some changes it would like to make to the way URLs are presented.
For example, September 2018 saw the removal of the www., m., and https:// elements from the Chrome browser’s internet address bar.
The changes failed to stick, and Google was obliged to reverse their introduction just weeks later, before reintroducing the same URL presentation simplification in September 2019 with the release of Chrome 76.
Apparently mindful of how that recent changes in URL presentation have split opinion, Google has decided to proceed more cautiously by conducting proper trials this time around.
“Our goal is to understand – through real-world usage – whether showing URLs this way helps users realize they’re visiting a malicious website, and protects them from phishing and social engineering attacks,” members of the Google Chrome Security Team said in a blog post.
Users not randomly assigned to this Chrome 86 experiment who would nonetheless like to get involved, can try out the feature by downloading the pre-release Google Canary developers’ version of Chrome.
All participants are invited to leave their feedback on the Chromium bug tracker.
If previous discussions on the Chromium blog on past URL presentation changes is any guide, then the latest Google Chrome experiment is likely to provoke a lively debate.