Feeds

You'll hate Google's experimental Chrome UI, but so will phishers

What do you want: Better security or long URLs?

  • alert
  • submit to reddit

Next gen security for virtualised datacentres

Phishers might have a tougher time hooking victims if a new feature introduced into the experimental strain of Google's Chrome browser makes it into a future full release.

The "origin-chip" feature cleans up Chrome's omnibox – or address bar – by removing lengthy URLs and replacing them with just the domain name shorn of "http://" and "www". There's also the "origin chip" that produces the full URL.

Apple introduced a similar arrangement in Safari on iOS 7.

Google has tested the feature in beta versions of Chrome, but users didn't care for it and it was subsequently relegated to a default "off" state in later updates to the experimental Chrome fork, "Canary".

Much opposition to the feature centred on disorientation it caused to users who wandered lost on the internet unsure of what pages they were perusing, despite that URLs can be viewed with a click.

Google Chrome's own front-end developer Paul Irish chipped in with his distaste for the feature despite its anti-phishing function and adding its future was shaky.

"We're looking at a few key metrics to see if this change is a net positive for Chrome users. I imagine it may help defend against phishing," Irish said in a forum post.

"My personal opinion is that it's a very bad change and runs antithetical to Chrome's goals. I hope the data backs that up as well."

Opposition from users would "certainly" impact the feature's future, he said.

But fellow Chrome dev Jake Archibald backed the feature and said it would have saved him from nearly losing his bank details to a phishing site.

"Find someone who doesn't work in tech, show them their bank's website, and ask them what about the URL tells them they're on their bank's site. In my experience, most users don't understand which parts of the URL are the security signals," Archibald wrote.

"Browsers stopped showing the username / password part of URLs because it made phishing too easy. This is a natural progression."

Activate Origin

Archibald's card was nearly taken by clever phishers who established a mock Halifax.co.uk website which replaced forward slashes in the legitimate URL with full stops.

When rendered in the experimental browser, Canary sings an alarm in the form of a whopping big origin box.

But with so much opposition from Chrome power users and Google's own developers, combined with its relegation to a default off state, origin-chip's days seem numbered. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.