Google has abandoned an experimental plan to hide certain URL elements in Chrome due to a failure to move “relevant security metrics” during testing.
The browser-maker has been attempting to simplify URLs in the ‘omnibox’ – Chrome’s address bar – for years, starting with the removal of “trivial subdomains” in 2018, although this was rolled back due to developer backlash.
This was followed by an announcement that the ‘www.’, ‘m.’, and ‘https://’ elements would be removed from address bar through an update released in 2019 – a move that also proved controversial.
In March 2020, the tech giant attempted to compromise by introducing an experimental feature that allowed users to choose between either simplified or full URLs.
In a Chromium thread describing the research, the team said the experiments were focused on improving security – in particular, citing URL display patterns as an inadequate defense against phishing attempts and social engineering.
“We’re implementing this simplified domain display experiment so that we can conduct qualitative and quantitative research to understand if it helps users identify malicious websites more accurately,” the developers said.
“If the results show that this simplified domain display does help protect users from attacks, then we’ll make a decision about whether to ship it to all users, balancing user feedback with the security considerations.”
Prototype coding changes were tested in labs, surveys were performed, and the Chrome team said a small percentage of users acted as a test base to “understand if it helps protect them from phishing”.
The latest real-world experiment was launched in August 2020 via Chrome 86.
It appears, however, that this attempt to simplify the omnibox for security reasons has gone awry. In a revised tracker post dated June 7, Chrome software engineer Emily Stark said, “this experiment didn’t move relevant security metrics, so we’re not going to launch it”.
Options to show simplified URLs have now been removed from the browser.
Criticisms
While Google insisted such changes would be potentially beneficial for end users by reducing confusion and their risk of exposure to phishing, critics pointed to looming issues in DNS setups, accidental obfuscation, and domain masking.
Speaking to The Daily Swig, CyberSmart CEO Jamie Akhtar said the experiment was an attempt to reduce “cognitive load” in what is often a congested online experience and to make it easier for end users to spot malicious domains.
In Akhtar’s view, these experiments should continue, but for now, human intuition and technological solutions such as DNS filtering will have to do.
‘A good start’
Steve Ritter, CTO at identity verification provider Mitek, told The Daily Swig that the trial was a “good start”, but that as “user feedback showed this approach wasn’t working in their interest [or] making them feel safer, simplifying URLs cannot be seen as beneficial to security”.
“With the right technologies in place, digital service providers – messaging apps, mobile manufacturers, email providers, or mobile networks – could warn us when we’re on a suspicious website, rather than attempting to make it easier for us to spot ourselves,” Ritter added.
“Businesses must tap into what’s easiest and most intuitive for customers to truly protect them from fraud.”
Source: https://portswigger.net/daily-swig/google-abandons-plans-to-simplify-urls-in-chrome-following-real-world-testing