Phishing—the practice by which hackers and the like attempt to get login data and access credentials out of individuals by offering up links to websites that may appear to be trusted sites, but are traps to get users to try and log in independently—has been a problem for quite some time now. A new development currently being tested at Google, meanwhile, may serve as a means to help, and in a surprisingly simple fashion: by calling attention to just one part of a URL, the part that may give away a phishing attempt in progress.
With the new version—still really only an experiment for now as part of the Canary version of Chrome—the domain part of the URL is the only thing that's shown. This is the part that really means something to the average user; as Chrome developer advocate Jake Archibald notes, the rest of the URL is really just “noise”. But what this means to the user is a great way to help spot a potential phishing attack in the offing.
Basically, phishing attacks depend on the user not being able to tell that the part of the domain that only should be noise is actually a much larger part of the domain itself, or is somehow otherwise wrong. But with this breed of Chrome, being able to tell that something is off about a domain name is much easier, and users in turn will be better able to make the determination that something is unusual, and thus keep away.
However, this experiment doesn't come without a note of controversy. Some out there do look at URLs, and this particular experiment can hamper that by forcing users to click on the origin chip—the little box at the top of the page containing the URL in question—to display the full URL. Some have even suggested that the URL in question be fully displayed, but that everything after the domain should be blurred instead, thus allowing easier access to the URL, but keeping up the idea of just showing the domain to make phishing easier to spot.
The problem here, of course, is that space in the browser bar—particularly for mobile devices—is scarce real estate and therefore must be carefully allocated. While the idea is a good one, as many users really won't need the full URL, it's worth sparing a thought for those who do need the entire URL, and so instead what might work better is another compromise altogether. Offer both versions in one browser: one in which the full URL is displayed, and one in which the domain is displayed and the full URL can be shown at a click. But make the ability user-selectable, and put the control to switch between versions in the options menu. Set it so that the “domain only” version is the default setting—clearly, most users will be going this route—but make “full URL display” an easily accessible tab in the options menu. That would seem to be the best choice here, as it accommodates the bulk of users as a default mechanism, but also makes the more specialist option available for users who may need or want access to it.
Still, it's an excellent idea, and one that might well help fend off its share of phishing efforts. Taking advantage of the basic user knowledge trait that most of the URL is noise can really help distinguish between a trusted URL and a fake, so making that distinction might prove very helpful.
Edited by Maurice Nagle