Uniform resource locators, better known as URLs, are the addresses we use to access websites. And they are so much a part of the internet that it’s difficult to think about websites without them.
So in September, it may have been a shock to many when Google’s security team said it was rethinking URLs as a means of site ID.
The problem, according to Google’s Chrome security team, is that URLs as we know them leave us vulnerable to certain attacks. Long and confusing URLs can trick us into visiting a phishing site that poses as a legitimate address. Encrypted addresses can deceive visitors into thinking a site is legitimate when it’s actually malicious. Scammers can deceive web users by changing some easy-to-miss detail in the URL (e.g., Yah0o vs. Yahoo).
The Chrome security team is attempting to tackle the problems inherent in URLs, in steps. Currently, they are kicking off efforts with an open-source tool called TrickURI, a program that aims to identify URLs which deviate from standard practices (in terms of how their site information displays). They also are working on a system that tags suspect URLs to display warnings to users about potential malicious content.
Chrome’s team acknowledges that URLs can in fact work very well for some users,but that methods of site identification could do a better job of communicating the safety and security of a site, rather than leaving it to the user to piece together that they’ve followed a misleading URL.
Businesses with online operations, of course, are not going to want to wait for internet companies to start changing site ID methods before they tackle cybersecurity problems in their employee base. Instead, education about cyber hygiene should remain a top priority, and all staff should understand how to avoid situations online that could lead to a data compromise.