Blinding users to URLs: Good or bad for security?

blindfold hat
Credit: Dale and Kim Schoonover

Security by obscurity?

The URL, or Uniform Resource Locator, has always felt like a leftover from the early age of the commercial Internet, an inelegant address for a specific website or (more inelegantly) a specific website page.

This has been especially true in recent years, when so much focus has gone into developing interfaces that are user-friendly. The URL, in essence, is the equivalent of displaying HTML code around text. Who needs to see that?

If Google goes through with a feature it's testing, soon nobody will have to be subjected to long, clunky URLs. A feature in Chrome Canary, the experimental version of the search giant’s web browser, eliminates the traditional long URL in favor of a small box to the left of the search omnibox that identifies for Chrome users the site they’re visiting.

Using this site as an example, let’s say you type in “citeworld.com” in the omnibox of the regular Chrome browser (or Firefox, or Internet Explorer). The text in the URL field will read “www.citeworld.com” (the address of this site’s homepage, or root domain). Do the same thing in Chrome Canary, and “citeworld.com” shows up (with no www.), but it gets placed in a light-blue box called the Origin Chip that pops up after you do your search.

So far it’s not really different than the old URL system. But let’s say you click on Nancy Gohring’s article on the Citrix Synergy conference. In the mature Chrome and competing browsers, here’s what you’ll see in the URL field when you get to the article:

http://www.citeworld.com/article/2151705/mobile-byod/citrix-ceo-mobile-first-cloud-first-is-duh.html

Using Chrome Canary with the Origin Chip enabled (more on that later), and you’ll be taken to the article, but the Origin Chip field still will merely read “citeworld.com”.

While it makes for a slightly less cluttered screen, the Origin Chip introduces a slight irritation: You can’t simply copy and paste a URL to email or text somebody. (The two ways around that are to click on the Origin Chip or right-click in the omnibox and select “Show URL.”)

You may prefer the traditional way URLs were displayed. If that’s the case, the good news is you don’t have to enable the Origin Chip. However, if you do want to try it out, just type “chrome://flags/#origin-chip-in-omnibox” in the omnibox and select either “Enabled; hides on click in the Omnibox” (that was my choice, and I haven’t looked back) or “Enabled; hides on input in the Omnibox.” You’ll be good to go.

Aside from aesthetics, Google’s new URL display (or non-display) feature raises some interesting security questions regarding phishing. As PCWorld’s Ian Paul explains, phishing scams rely on people misreading URLs that are made to look like addresses to legitimate sites, but which instead redirect them to a site where their information is stolen or their computers are infected by malware. Using a bogus PayPal URL as an example, Paul writes:

“Some people would see the long URL and fail to notice that the site was not PayPal at all. Arguably, the new shortened URLs in Canary would help since it would be more obvious that you were visiting Paypal.com-ripoff.ca than PayPal.com itself.”

That’s assuming the fake site’s URL makes it clear that users aren’t on the site they think they’re visiting.

The change is catching a lot of flak in some discussion threads around the web, but I’d say it’s about time.

What do CITEworld readers think? Can you live without the URL?

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies