In September of last year, Google announced that it intended to end the URLs, but still did not know how to do it. Web addresses have become longer and more unintelligible text lines and can be jeopardize user information, that can confuse a fraudulent site with an official page. The company believes that they are not a good way to convey the identity of the site and, therefore, wants to "question how the links should be displayed and discover the correct way to identify each web page", as explained then Adrienne Porter, Chrome's chief engineer, Wired. Four months later, the time has come to take action and there are already two viable proposals to start the process.
For the time being, the greatest security measure to differentiate between a true and a fraudulent URL focuses on users. "The web security model is based on trusting that they understand web addresses and know how to identify them," explained Emily Stark, head of the applied security team at Google, during the Enigma 2019 cybersecurity conference on Tuesday. "But in reality they are not very good at it." It can be difficult to differentiate between GOOGLE.COM and G00GLE.COM. That's why the efforts of the company's team are focused on discovering how to detect URLs that seem to deviate in some way from those that are reliable. The key to this is an internal open source tool called TrickURI, which helps developers verify that web addresses are accurate and consistent.
Apart from TrickURI, the company is also working on creating warnings for Chrome users when an address seems potentially fraudulent. The alerts are still in internal tests. "There is a lot of work to be done, the big challenge is to show the parts of the addresses that are relevant to user security and filter out all the additional components that make the URLs difficult to read," Stark adds.
Its goal is not to break the Internet or reinvent the way to navigate, but to make things a little more difficult for cybercriminals. As the web has expanded, addresses have become chains of letters, numbers and special characters that combine third-party components or codes to account for visits. Among all that gibberish are hidden combinations of symbols that no one knows very well what they mean.
This situation is further complicated when visiting pages from mobile devices, where there is no space to show much of the URL; and when the directions appear shortened, which hides the complete composition of the address. Even though Google is fully aware of this situation, they themselves have a service to shorten the web addresses that are still active.
All this has made access to a website become an opaque process, a breeding ground for cybercriminals to build false pages that imitate the officers, deceive the user and keep their data. They pretend to be legitimate institutions, automatically start virus downloads and launch phishing schemes, a practice also known as phishing.
This scam has already been postulated as one of the main threats in cybersecurity for this year. It consists of making an exact copy of, for example, the page of the bank and getting users to access it and put all their data. Criminals are left with the information and can now access the real page with it. And all, because it is difficult for users to keep track of who they are dealing with.
It is not the first time that Google decides to modify the URLs. In 2014, the technology tried to replace the entire link with the name of the page to help ensure that users knew what domain they were browsing. If you wanted to see the full URL, you could click on it and see all the information. The experiment received praise from some for making the web identity more direct, but it also generated criticism. A few weeks after appearing in a Chrome pre-release, Google changed its mind.