• GOOGLE TAKES ITS FIRST STEPS TOWARD KILLING THE URL
  • Author: Wired.com
  • The Nuggets translation Project
  • Permanent link to this article: github.com/xitu/gold-m…
  • Translator: jerryOnlyZRJ
  • Proofreader: oshinoOugi, Kikooo

Last September, members of Google’s Chrome security team made a radical proposal: eliminate web addresses as we know them. The researchers aren’t actually advocating changing the underlying infrastructure of the web, however, they do want to redesign the way browsers present the sites you’re looking at, so you don’t have to deal with longer and harder to understand web addresses and the scams that keep springing up because of them. During a presentation at the Enigma Security Conference in the Bay Area on Tuesday, Emily Stark, head of Chrome’s user security team, addressed the controversial proposal, detailing Google’s first steps toward a more robust site logo.

Stark stressed that Google is not trying to cause chaos by eliminating urls. Instead, it wants to make it harder for hackers to take advantage of users’ confusion about the site’s logo. For now, the endless haze of complex urls allows attackers to carry out effective scams. They can create malicious links that appear to point to legitimate websites, but in fact automatically redirect victims to phishing pages. Or they can design malicious web pages that look exactly like the real web address, and victims can fall for it if they don’t notice they’re under G00gle and not Google. In response to so many spoofs, the Chrome team has launched two projects aimed at providing users with some clarity.

“What we’re really talking about is changing the way logos are presented,” Stark told WIRED. “It should be easy for people to know what site they’re on, and they shouldn’t be misled into thinking they’re on another site. Users don’t need to have a particularly specialized knowledge of how the Internet works to solve this problem.”

So far, the Chrome team has focused on figuring out how to detect web addresses that deviate in some way from standard practice, based on an open-source tool called TrickURI, released in conjunction with Stark’s conference forum, that helps developers check that their software consistently displays urls accurately. The goal of the tool is to provide developers with some testing methods so that they know how urls will be rendered to users in different situations. In addition to TrickURI, Stark and her colleagues are working on creating a warning for users when they visit a URL with the potential for a phishing page. These features are still being tested internally, because the tricky part is developing heuristics that can correctly flag malicious sites without flagging legitimate ones.

For Google users, the first line of defense against phishing and other online scams remains the company’s secure browsing platform. But the Chrome team is exploring additions to secure browsing, specifically for marking rough urls.

Google

“We used to detect the misleading urls heuristic methods including character comparison look similar to each other and each other by only a few characters change domain name,” Stark said, “our goal is to develop a heuristic method to make the attacker cannot use the misleading urls, one of the biggest challenges is to avoid the legal domain name tag as suspicious. That’s why we’re slowly releasing it as an experimental feature.”

Google says it hasn’t started offering warnings to the general user base until the Chrome team improves these detections. While web sites may not change much in the near future, Stark stressed that there is still a lot of work to be done on how to get users to focus on important parts of web sites and improve the way Chrome renders web logos. The biggest challenge is to show people the parts of the URL that are relevant to their security and online decisions, while somehow filtering out all the extra components that make the URL difficult to read. Browsers also sometimes need to help users solve problems by extending shortened or truncated urls.

“The whole project was very challenging because urls are now used very well for certain people and usage scenarios, and a lot of people like them,” “We are excited about the progress we are making with our new open source URL-display TrickURI tool and our still exploring warning feature for urls that could be confused,” Stark said.

The Chrome security team has solved many internetwide security problems before, developed fixes for them in Chrome, and then threw out the importance of Google to encourage everyone to do the same. Over the past five years, this strategy has been particularly successful in promoting the widespread adoption of HTTPS web encryption. But critics of this approach worry that Chrome’s features and general shortcomings can also be misused or abused for positive change. For something as basic as a URL, critics worry that the Chrome team will use the opportunity to change the display strategy for the site logo to favor Chrome, while doing something that doesn’t actually benefit the rest of the page. Even seemingly minor Chrome changes are having a major impact on the Web community.

Moreover, such ubiquitous trade-offs depend on risk-averse corporate customers. Katie Moussouris, founder of Luta Security, a firm that specializes in disclosing vulnerabilities: “Web sites online often don’t convey a level of risk that users can quickly identify, but as Chrome is adopted by more and more enterprises, not just ordinary users, their ability to revolutionize visibility and the underlying security architecture will be reduced by customer pressure. “It’s not just the heavy responsibility of keeping people safe, but also minimizing the loss of original features, improving usability and backward compatibility.”

If this sounds like particularly confusing and frustrating work, it must be the point. The question then will be how the Chrome team’s new ideas work in practice, and whether they actually end up making you safer on the Internet.

Correction, Jan. 29, 10:30 p.m. : This article originally said TrickURI used machine learning to parse URL samples and test for suspicious urls. It has been updated to reflect that the tool is evaluating whether the software consistently displays urls accurately.

If you find any mistakes in your translation or other areas that need to be improved, you are welcome to the Nuggets Translation Program to revise and PR your translation, and you can also get the corresponding reward points. The permanent link to this article at the beginning of this article is the MarkDown link to this article on GitHub.


The Nuggets Translation Project is a community that translates quality Internet technical articles from English sharing articles on nuggets. The content covers Android, iOS, front-end, back-end, blockchain, products, design, artificial intelligence and other fields. If you want to see more high-quality translation, please continue to pay attention to the Translation plan of Digging Gold, the official Weibo, Zhihu column.