Google’s Chrome team is gearing up to overhaul and perhaps banish one of the most visible parts of every website, its address. Most browsers display that address, called the uniform resource locator, or URL, at the top of the page. But URLs can be complicated strings of alphanumeric gibberish, and Google thinks they’re too hard for humans to assess — especially when that complexity is used to cloak attacks.
Google has been stewing on the URL problem for nearly two years, since the 10th anniversary of Chrome in 2018. Now it’s begun adding tools to Chrome that’ll let it experiment with different approaches, tweeted Emily Stark, a Chrome security team member working on the project.
“We think this is an important problem area to explore because phishing and other forms of social engineering are still rampant on the web, and much research shows that browsers’ current URL display patterns aren’t effective defenses,” Stark tweeted Tuesday. In effect, people can’t reliably distinguish a legitimate URL from a scam.
There’s only one problem: Lots of us seem to be very attached to that alphanumeric gibberish. That’s led to howls of protest before.
“Chrome is experimenting with URL display again. I don’t know why this enrages folks so much. The truth is, humans can’t read URLs,” tweeted Jake Archibald, a Google Chrome team advocate for web developers.
He likened URL reform to hiding other website complexity, like the details of website encryption certificates or the website code itself, that doesn’t generally help mainstream people. “The browser doesn’t show the user raw HTML and expect them to figure it out themselves. I don’t think we should do that with URLs either,” he said. He steered people to a video detailing concerns about how poorly humans handle URLs.
What is an URL?
URLs can be a security problem since carefully crafted but bogus URLs can fool people into thinking they’re visiting a legitimate website where they enter passwords or other sensitive information. You might think it’s your bank’s website you’re visiting, but there are ways to misdirect attention and obfuscate the true address.
Lots of elements make up an URL. Among them: the HTTPS label that indicates a private, tamper-proof connection between your browser and a website; broad and detailed address information for the specific page; and an infinite number of possible parameters used for everything from passing a search query to Google to tracking your presence as you move around the web. URLs can be far longer than even a wide-screen browser can show, and stuffed with alphanumeric gobbledygook that even web browsers find difficult to understand.
For people who are curious or the technically minded, Stark offered instructions on how to try Chrome’s new URL display options by setting configuration flags in the Canary test version of Chrome. Google will test the options on smaller populations of Chrome users before making changes final, she said.