In order to thwart phishing attacks, the Chrome 86 browser will hide a large part of a site’s URL. “We will be experimenting with an alternate method of displaying URLs. In the address bar on desktop platforms,” Chrome Security Team members Emily Stark, Eric Mill. And Shweta Panditrao wrote in an article published on 12 August on the company blog. “Our goal is to understand whether, in real-world use, by displaying shortened URLs. Users can see if the site they’ve been directed to is malicious or not and protects them against phishing and attacks. of social engineering.

Participants in the test, which will start when Chrome 86 is released on October 6, will be chosen at random. Emily Stark, Eric Mill, and Shweta Panditrao didn’t say how many Chrome 86 users, or what percentage of browsers, will see the driver address bar. They clarified that enterprise devices would not be included in the experience. Instead of displaying the full URL in Chrome’s address bar, the test will condense it as a “registrable domain”, as Google explained, in other words, the “most significant” part of the name of For example, if the full URL of an article from Le Monde Informatique is https://www.lemondeinformatique.fr/actualites/lire-la-crise-sanitaire-a-renforce-le-lien-dsi-et- decideurs-metiers-80091.html, then the registrable domain would be lemondeinformatique.fr.

An anti-phishing tool

According to the three Google engineers, showing only the domain could allow users. Those who look at the address bar, in any case (which is not the case for everyone). To ensure that they are in the right place, and not on a malicious site to which they have been redirected without their knowledge. “There are a thousand ways to manipulate URLs to trick users into a website’s identity”. Said Emily Stark, Eric Mill, and Shweta Panditrao. “It’s a common practice in phishing campaigns, social engineering attacks and scams of all kinds.” To support these arguments. The Chrome Security Team cited a 2020 research paper titled “Measuring Identity Confusion with Uniform Resource Locators.” (Of the nine authors of this paper. Two are Google researchers and the others are from the University of Illinois at Urbana-Champaign).

To display the full URL, the user simply needs to move the pointer over the top of the address bar and let it hover for a short time while Chrome renders the URL in its full form. Chrome also offers a new right-click feature called “Always show full URLs,” which lets you configure the address bar to show the full URL of all sites.

Although Chrome 86 won’t be available in a final version – what Google calls. A “Stable” version – for a few months, users can test the shortened URLs now using the Canary or Dev versions (now in Chrome 86).

Last

To do this, type chrome://flags in the address bar, then set these two parameters to “Enabled” and relaunch the browser:

#omnibox-ui-reveal-steady-state-url-path-query-and-ref-on-hover

#omnibox-ui-sometimes-elide-to-registerable-domain

(Note that in Computerworld’s test, the macOS version of Chrome 86 Dev did not display. The “Always show full URLs” item in the right-click menu.)

This isn’t the first time Google has changed how URLs display in Chrome’s address bar. Two years ago, Google dropped the “m” prefix for mobile versions. And the “www” prefix, but the publisher eventually reinstated the latter.

Mixed Forms

You’re supposed to feel all safe, warm, and fuzzy inside when the site you are using has that notable lock icon by the URL showing its traffic is sent over HTTPS, right?

Sites you connect to over HTTPS can still be insecure by way of form submissions. Forms on an HTTPS site that are submitted over HTTP are known as ‘mixed forms’.

As we all know, data that is sent over an HTTP protocol is not encrypted and can be easily read by an attacker. Protecting your information is a three-step process:

1. Chrome will disable Chrome Password Manager from auto-filling sensitive information into the form.
2. If the user begins typing data into the mixed form manually then a friendly warning message will be shown.
3. Submitting data into a mixed form will send the user to a warning page which will allow them to override safety measures.

If that doesn’t stop you from unknowingly submitting information to a mixed form, I don’t know what will.

URL Shortening

Google plan for this technique is to see if presenting URLs in a certain manner will help the user realize they’re on a malicious site. They hope it will help protect us from phishing and social engineering attacks.

It will take time to know if the techinque is a success because data will need to be aggregated. It makes sense to only show the root URL because the lock and the domain itself are very obvious at that point.

Most phishing and social engineering attacks execute on domains that are obscured by the text around it.

With Google’s good intentions and all the data that can be aggregated from this feature. I think they will find the right balance between presenting informative information. To the end-user about the current domain and protecting them from certain attacks.

In Conclusion

With chrome being the most used browser around the globe. The focus has to remain on the end user as the product develops. It is an update like this that keeps them in 1st place.

If Google continues to deliver balanced features that protect the end-user while decreasing the complexity of browsing the web, it will stay far in front of competitive browsers in a league of its own. Chrome 86 hinders phishing with very short urls