Google experimenting with hiding URLs in Chrome

Summary:In an effort to make phishing attacks more evident to the user, Chrome Canary is taking a tip from iOS Safari, emphasizing the domain and hiding the rest of the URL.

Jake Archibald, a "developer advocate" for Chrome at Google, has blogged about how the "Canary" version of Chrome is now hiding parts of the URL in order to make phishing attacks more obvious to the user. Canary is an experimental version, used to test new features like this. The feature may or may not make it into release versions of Chrome.

The image below, from Archibald's blog, shows the main effect:

Canary.URL.experiment

The upper screen grab is from a real bank site. The lower part is from a fake phish site created by Archibald for demonstration purposes. Chrome Canary shows only the domain part of the URL, followed by an empty box into which you can enter a URL or search term. They just don't show the directory or file names in the URL. This idea was inspired by similar changes in Safari by iOS 7.

The key to most phishing attacks is to get the user not to notice that the domain name is wrong. This feature is designed to help you notice. It works a lot better with EV (Extended Validation) certificates:

Canary.URL.experiment.EV

Once again, to emphasize, this is an experiment. Archibald is right that the rest of the URL is "noise" to most users and you can display the URL by clicking the origin chip (that's the box with the domain name, "accounts.google.com" or "Morgan Stanley [US] benefitaccess.com" in the image above).

The idea is of course, controversial. While it may be in the interests of most users, there are others of us who look at URLs, and this feature makes that less convenient. Ari Palo suggests a compromise in which the URL is displayed, but blurred. He also suggests that Chrome flag domains that it knows to be good or bad.

The relevance of URLs to users has long been a controversial point. I once saw Tim Bernars-Lee speak and he urged developers to make URLs opaque (like "www.zdnet.com/sd7sd76sdf58f") so that users didn't get the idea that they could read anything into them. In such a system, there's no harm done by hiding the path and file name, but often the page does not give you the tools to get to other places and a careful and clever reading of the URL can be useful.

I also would argue that removing the path would be more acceptable if Chrome did a better job of displaying page titles, but as you can see from the images you get to see very little of the title in Chrome.

Space in and around the browser bar area is a scarce resource and Google needs to be careful and make utilitarian decisions sometimes. While I can imagine some form of this feature making it all the way to release, it's not going to be this version of it. For a mobile browser like iOS Safari with even less space, it may be reasonable to emphasize the most important aspect of the page. A desktop browser should show more.

Topics: Security, Google

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.