Incident Response, TDR

Users, experts divided over replacing URLs with domains in new Chrome

If URLs are replaced with domains in the next version of Google Chrome – known as Canary – then phishing attacks via malicious websites could end up being a little easier to spot.

The feature has yet to be finalized, let alone incorporated, but the idea is that by making the switch, less savvy web users will better notice when they are directed to harmful websites because the malicious domains will not look right.

Smart phishers use awkward-looking domains because, when loaded into a browser's URL bar, their malicious sites appear as the authentic websites they are trying to imitate – thus making it easier for them to compromise unassuming targets.

Jake Archibald, a developer advocate working at Google, refers to the issue as “noise” – meaning lengthy URLs have too much going on in them for non-technical users to know the difference between an authentic URL and a malicious one.

In a Sunday post, Archibold said that he recently received a highly authentic looking phishing email that almost got him to cough up a set of his credentials. He just barely avoided falling into the trap after noticing something off about the URL.

“[T]he browser could be doing a better job to save me,” Archibold wrote, showing a side-by-side example of a real URL against a phishing URL in a regular browser, and then showing a real URL against a phishing URL in the Canary browser.

The malicious website is far easier to spot in the Canary browser.

In a Monday email correspondence, John LaCour, founder of PhishLabs, told SCMagazine.com that only showing the domain in the web browser does have the potential to reduce the number of phishing attack victims, but added that it is not a solution.

“Google doesn't claim the change is a panacea for phishing and our experience has shown that there are still a large number of people who will ignore any visual indicators about the trustworthiness of the site they're visiting,” LaCour said. “We don't expect it to dramatically reduce the prevalence of phishing attacks.”

In a Monday email correspondence with SCMagazine.com, Aaron Higbee, CTO of PhishMe, agreed that people tend to overlook visual security indicators in their browsers, be he said that the concept could work if tweaked properly.

“I can see a benefit to the end-user by keeping the entire URL intact, but putting a visual focus on the root domain,” Higbee said. “Focusing on the root domain can be beneficial for users. This could remove an obfuscation tactic some phishers use.”

The idea is not entirely original – when introducing iOS 7 last year, Apple replaced URLs with domains in the mobile version of Safari.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.