Published in https://www.wired.com by Lily Hay Newman 04/09/18
Google’s Chrome browser turns 10 today, and in its short life it has introduced a lot of radical changes to the web. From popularizing auto-updates to aggressively promoting HTTPS web encryption, the Chrome security team likes to grapple with big, conceptual problems. That reach and influence can be divisive, though, and as Chrome looks ahead to its next 10 years, the team is mulling its most controversial initiative yet: fundamentally rethinking URLs across the web.
Uniform Resource Locators are the familiar web addresses you use every day. They are listed in the web’s DNS address book and direct browsers to the right Internet Protocol addresses that identify and differentiate web servers. In short, you navigate to WIRED.com to read WIRED so you don’t have to manage complicated routing protocols and strings of numbers. But over time, URLs have gotten more and more difficult to read and understand. As web functionality has expanded, URLs have increasingly become unintelligible strings of gibberish combining components from third-parties or being masked by link shorteners and redirect schemes. And on mobile devices there isn’t room to display much of a URL at all.
The resulting opacity has been a boon for cyber criminals who build malicious sites to exploit the confusion. They impersonate legitimate institutions, launch phishing schemes, hawk malicious downloads, and run phony web services—all because it’s difficult for web users to keep track of who they’re dealing with. Now the Chrome team says it’s time for a massive change.
“People have a really hard time understanding URLs,” says Adrienne Porter Felt, Chrome’s engineering manager. “They’re hard to read, it’s hard to know which part of them is supposed to be trusted, and in general I don’t think URLs are working as a good way to convey site identity. So we want to move toward a place where web identity is understandable by everyone—they know who they’re talking to when they’re using a website and they can reason about whether they can trust them. But this will mean big changes in how and when Chrome displays URLs. We want to challenge how URLs should be displayed and question it as we’re figuring out the right way to convey identity.”
If you’re having a tough time thinking of what could possibly be used in place of URLs, you’re not alone. Academics have considered options over the years, but the problem doesn’t have an easy answer. Porter Felt and her colleague Justin Schuh, Chrome’s principal engineer, say that even the Chrome team itself is still divided on the best solution to propose. And the group won’t offer any examples at this point of the types of schemes they are considering.
The focus right now, they say, is on identifying all the ways people use URLs to try to find an alternative that will enhance security and identity integrity on the web while also adding convenience for everyday tasks like sharing links on mobile devices.
“I don’t know what this will look like, because it’s an active discussion in the team right now,” says Parisa Tabriz, director of engineering at Chrome. “But I do know that whatever we propose is going to be controversial. That’s one of the challenges with a really old and open and sprawling platform. Change will be controversial whatever form it takes. But it’s important we do something, because everyone is unsatisfied by URLs. They kind of suck.”
The Chrome team has been thinking about URL security for a long time. In 2014, it tried out a formatting feature called the “origin chip” that only showed the main domain name of sites to help ensure that users knew which domain they were actually browsing on. If you wanted to see the full URL, you could click the chip and the rest of the URL bar was just a Google search box. The experiment garnered praise from some for making web identity more straightforward, but it also generated criticism. Within a few weeks of showing up in a Chrome pre-release, Google paused the origin chip rollout.
“The origin chip was Chrome’s first foray into the space,” Porter Felt says. “We discovered a lot about how people think about and use URLs. [But] frankly, the problem space proved harder than we expected. We’re using the feedback that we received back in 2014 to inform our new work.”
Similarly, Tabriz notes that the team faced a lot of pushback for its HTTPS web encryption initiative. Chrome’s transition to treat encrypted websites as standard and call out unencrypted sites as insecure seemed radical at first. But the team collaborated with other browsers and tech companies to spread the change across the web and promote encrypted connections that protect user privacy. “Something as basic as HTTPS, everyone in the security community agrees it’s good,” Tabriz says. “But you make a change and people freak out. So whatever we do here I know it’s going to be controversial. It just takes a long time.”
Porter Felt says the group will be more ready to talk publicly about its ideas this fall or in the spring. And the group notes that the goal isn’t to upend URLs haphazardly, but to enhance a vision that is already in place, given that entity identification is foundational to the overall security model of the web. But coming from a company as influential as Google, and one with such powerful vested interest in how people browse and use the web, community scrutiny of any proposal Google puts forth will be crucial.
As Emily Stark, a technical lead at Chrome puts it, the project is the URLephant in the room.