13 Flares 13 Flares ×

Jake Archibald, a “developer advocate” for Chrome at Google, has blogged about how the “Canary” version of Chrome is now hiding parts of the URL in order to make phishing attacks more apparent to the user. Canary is an experimental version used to test new features like this. The feature may or may not make it into release versions of Chrome.

The image below shows the main effect:

canary-url-experiment-620x87

The top screenshot is from a real bank site. The lower one is from a fake phishing site created by Archibald for demonstration purposes. Chrome Canary shows only the domain, followed by an empty box where you can enter a URL or search term. Directory and file names are omitted from the URL. This feature was inspired by similar changes to Safari in iOS 7.

The key to most phishing attacks is to keep users from noticing that the domain name is wrong. This feature is designed to help you notice.

It works better with Extended Validation certificates:

canary-url-experiment-ev-620x112

Archibald isn’t wrong to say that the rest of the URL is just noise to most users, and those of us who care to see the full URL have the option to do so.

But this is definitely a controversial idea. While it may be in the interests of most users, there are other, more technically savvy folks who actually look at URLs, and this feature makes that more difficult.

The relevance of URLs to users is up for debate. Tim Berners-Lee once urged developers to make URLs opaque (e.g. “venturebreak.com/1dyphqlhsj4h7f”) so users wouldn’t try to read into them. In such a system, it wouldn’t hurt to hide the path and file name, but because pages often don’t make it easy to get to other places, a careful reading of the URL can be useful.

To be clear, this is an experiment, so there’s no guarantee we’ll ever see anything like this in a release version of Chrome. And if we’re being realistic, it’s rather unlikely. It makes sense for a mobile browser like Safari for iOS to hide some of the URL to save screen real estate, but a desktop browser should show more.