Feeds

back to article You'll hate Google's experimental Chrome UI, but so will phishers

Phishers might have a tougher time hooking victims if a new feature introduced into the experimental strain of Google's Chrome browser makes it into a future full release. The "origin-chip" feature cleans up Chrome's omnibox – or address bar – by removing lengthy URLs and replacing them with just the domain name shorn of "http …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
Stop

Stop this madness now

Having a domain name highlighted in a different colour isn't good enough?

It's only a matter of time before all controls are replaced with a single big red button which says 'Do stuff'. With beautiful detailed rounded corners, of course.

50
4
Bronze badge
Joke

Re: Stop this madness now

It's only a matter of time before all controls are replaced with a single big red button which says 'Do stuff'. With beautiful detailed rounded corners, of course

If it has rounded corners, Apple will sue.

9
5
Silver badge

Re: Stop this madness now

You mean until they decide that colours, corners and obvious buttons are too distracting and turn it into a discreet 8x8 pixel monochrome button that shows up only if you mouseover?

8
0
Silver badge

Re: Stop this madness now

Just highlighting the domain in a different colour is what I thought the moment I saw this. It's really the perfect compromise, why didn't they realize that?

4
0
Anonymous Coward

Re: Stop this madness now

Hey, we already have that button, or so our clients seem to think when they bring in a complex proposal and expect it to be done five minutes ago!

2
0

Re: Stop this madness now

That demands the domain name actually be shown in a different color which at present necessitates a much more expensive certificate. Or are we to have a rainbow of colors for those using EV SSL and those using plain SSL and those that are unencrypted and those with an expired certificate? Meanwhile users see the phishing domain name beside a secured padlock that they've been taught means the connection is encrypted.

Personally, I think that so long as this can be (1) turned off, and (2) when clicked on shows the full URL, it's potentially a good thing.

0
0
Bronze badge

Re: ThomH

And to make it even better, change the icon from a well known, 20 year old pictorial reference of a button, to a back flipping orangutan, because focus groups considered it a more appropriate reference image.

(The reference is to Windows 8 settings icons not matching anything else remotely related to settings, printers, screens or this planet)

8
0
Silver badge

Re: R11

What I'm saying is, the browser should just highlight the text that is the part of the URL that is the FQDN. This is completely independent of what the certificate says it is valid for (assuming there is a cert at all. This should work without a cert)

EDIT: someone below pointed out they do this already (FQDN in black, rest in grey). Apparently though the contrast is not enough for my aging eyes :(

0
0
Silver badge
Joke

Re: Stop this madness now

>>"turn it into a discreet 8x8 pixel monochrome button"

Which people will still claim looks better on their post-Retina resolution iPad 8.

Might as well throw in a serious point whilst I'm posting:

"Browsers stopped showing the username / password part of URLs because it made phishing too easy. This is a natural progression."

I don't want my browser to hide the username / password part of the URL. If it does that, how will I know to back away from the astonishingly stupid site and never go there again?

3
0

Good thing

For the feeble-minded, tech-oblivious people. The people who don't need this will find the option to disable it.

12
8
Silver badge

Re: Good thing

While there is an option to disable it. Chrome has a habit of 'streamlining' things by burying options they don't want used ten sub-menus deep (e.g. Import/Export bookmarks from HTML. Used to be only a click away and easy as mince, but then came along 'store your settings in the Cloud by signing up for a Google+ account...)

19
1
Bronze badge

Re: Good thing

For the feeble-minded, tech-oblivious people. The people who don't need this will find the option to disable it.

Well barring for the moment, that this is in fact an article for Google's Chrome browser. I think you might find the ability to either "disable", or to "revert" becoming ever more challenging upon each new weekly release of a certain other browser, that trying its damnedest to be Chrome.

3
0
Silver badge

Re: Good thing

How does being ignorant regarding a certain technology make you feeble-minded?

6
0
JDX
Gold badge

Re: Good thing

>>How does being ignorant regarding a certain technology make you feeble-minded?

Nerds like to feel superior to people just like everyone else with self doubt issues, they just have to work harder to find anyone to look down on.

2
0
poh

If this change ever does get taken up, perhaps it will finally encourage phishers to make better use of homograph attacks.

4
0
Silver badge

>>"If this change ever does get taken up, perhaps it will finally encourage phishers to make better use of homograph attacks."

Is it me or is there a note of disappointment in your post at the technical lack of phishers today? It almost begs for a follow on sentence beginning: "In my day, we'd spend hours researching the CEO's personal life to craft the perfect Spear Phising attempt. And we'd have to handle the SMTP transfer manually. At both ends!"

2
0
Silver badge

Anti-phishing could be done in other ways

e.g. putting the domain in bold, or by hilighting a url in a warning colour if it contains fragments of other domains in its user / pass or path.

5
1
Bronze badge

Re: Anti-phishing could be done in other ways

The domain is ALREADY in bold.

1
0
Silver badge

Re: Anti-phishing could be done in other ways

The domain is shown in black, not bold. The remainder of the path is shown in grey. The protocol is only shown if its https (in green for valid).

0
0

Re: Anti-phishing could be done in other ways

Well, I've had to go and look, been using Canary for months, and yes, you're right it's black, and the rest of the URL is grey, but if you hadn't told me it was the case I'd never have noticed, so obvious fail on the UI there...

0
0

Re: Anti-phishing could be done in other ways

@TestMan

Well I'd not noticed 'till today, both FF and Chrome show the domain in solid black and grey the rest. (Apparently other browsers are available for the less tech savvy who would benefit most so I checked MSIE10 YES! and Safari (Windows vsn) NO!)

Now surely someone can find a tweak buried somewhere in FF/Chrome to make domain bold red.

0
0
JDX
Gold badge

Re: Anti-phishing could be done in other ways

They still make Safari for Windows?!

0
0

Overall it smells like: the URLs are unneeded as we (google) deliver them for you now (and whoever pays adsense and the likes)

13
1
Silver badge

You're right, Google takes money from people who wish to scam the general public. Take this example, where I searched Google for EHIC. This is a card it is prudent for me to have when travelling to EU countries other than my own, since it represents a reciprocal healthcare agreement between EU member states. It is free of charge from the UK government. The first three results are:

The European Health Insurance Card has replaced E111. Apply Online.

www.e111.eu/‎

This is effectively a scam, since they will try and charge me £20 for applying for the free EHIC card on my behalf.

Apply for a free EHIC card - Healthcare abroad - NHS Choices

www.nhs.uk/NHSEngland/Healthcareabroad/EHIC/.../about-the-ehic.asp...‎

This result might be legitimate, but I can't tell from the Google page, since the address is truncated.

European Health Insurance Card (EHIC)

https://www.ehic.org.uk/‎

This site is legitmate, but a lay user might find it simpler to tell if it ended with .gov.uk

* * *

Scam sites similar to the first result exist for other UK Gov services, such as passports and driving licenses.

Of course, user education is a part of the solution... perhaps by including a clear and simple message on all Government letters about .gov.uk sites.

Another part of the solution would to tell Google that if they wish to operate in the UK they shouldn't be complicit in scamming UK citizens. The government's role is, in part, to play shepherd against the wolves of free enterprise.

23
3
Bronze badge

But why are they a scam?

Yo and I might consider them a scam, but what defines that? The post office do the same thing, they will charge you to apply for an EHIC card because they also offer a "check and send service" the same as these companies.

There are also visa agencies across the world who will process visa applications for you for a fee when you could get them cheaper or free elsewhere. The difference is they provide a service where they know the easy way to do bulk applications, not get hit by further bureaucracy from banana republics, get visas quickly or get 'enhanced' visas to visitors.

Many people will use these services and pay the premium knowing about the alternatives because they do sometimes provide a valuable service.

So should Google ban a legitimate service? Should they decide which ones they feel provide sufficient extra value? Should they ban the Post Office from doing this service?

Or should they just wait until a court/trading standard etc decide they are illegal and then remove them?

8
6
Gav

"Wouldn't use them myself" <> scam

Your problem is you are labelling something as a scam, simply because you see no value in it, and wouldn't use it personally. These can be legitimate services that some people may wish to pay for. Some people hate, or are bad at, form filling. Some people have literacy problems, or do not feel comfortably fluent enough in any applicable language. Some people are just lazy/busy. All may want "an expert" to do it for them and are happy to pay for that.

The example you give looks to me to be quite upfront about what they are doing, and what you can get for free elsewhere. It may "fool" some people into thinking they have to pay and are doing it through official channels, but only if those people don't read what's in front of them in plain language. And maybe those are exactly the people who maybe can't be trusted to fill in the form themselves.

However you are correct, there are other far shadier outfits doing this, or similar, that do amount to scams.

1
9
Silver badge

Re: "Wouldn't use them myself" <> scam

"Your problem is you are labelling something as a scam, simply because you see no value in it"

No they are scam because they charge people money for something people can have for free. They're a scam because they use adwords and search engine optimization to divert people away from the official site so they can skim a fee out of people.

12
5
Silver badge

Re: "Wouldn't use them myself" <> scam

For that matter you might label accountants as scammers because they charge you to file taxes where you could do it for free yourself.

Many of these crews are scammers, but not all.

5
2
Bronze badge

Re: "Wouldn't use them myself" <> scam

I can stand in front of any store, office or station and ask for a fee for you to enter... If I never say your obliged to pay me, and never say I'm acting on the stores behalf... have I done anything illegal or dishonest?

No.

Have I done anything of value?

No.

Thus while not a lie, I was a "scam" as I appeared to be acting on behalf of the store, office or station to take fees for entrants/users/services. When in fact, I was pretending to be a middleman. At the least I was pointing to a door to guide you to a destination you already saw. At least windscreen washers actually DO wash the windscreen, instead of asking for a fee when it rains. :P

2
3

Re: "Wouldn't use them myself" <> scam

Also... They're a scam because they employ considerable passing off techniques; similar typography and design (much like grocery manufacturers to to market leaders).

If they're morally dubious and adding no value, then they're they're probably scammers.

This is now getting more mainstream coverage in the UK -- for instance Money Box on Radio 4. From what I see of this change to the market-leading web browser -- Chrome -- this is simply going to aid the scammers, so expect a lot more of the "I've been conned" stories in the future.

0
0
Bronze badge

pointless

This assumes that those who're not tech savvy will see what happens to that second URL and realize they're on a fake site. I very much doubt that.

Anything short of a big popup warning 'This site may be a fake' won't be understood.

The problem with dumbing down, hiding the full URL and so on is that over time, the average web user is going to become further and further removed from the actual workings of the web - even the basics of what a URL is and how to enter it directly into a browser by typing. The URL bar will go completely next, as users just follow links from Google and don't need to type or see the raw URL. I suspect this is really where Google is going with this - even more control over how users get to their destinations.

9
0

Re: pointless

It's common for people trying to get to a web site to type the address into the Google search box, rather than the address bar. It's difficult to overestimate how clueless the average user is.

12
2
Silver badge

Re: search box / address bar

What I really hate are browsers that merge them. I like to be certain that what I intend as a url is treated as a url and what I intend as a search be treated as a search.

21
2
Bronze badge

Re: pointless

"the average web user is going to become further and further removed from the actual workings of the web"

That started with DNS and then later with multihomed clients in HTTP 1.1 - no longer can you be sure of typing in your trusty 173.194.41.151 address to get to google search you get abstracted out to google.co.uk and don't get to even see the original IP.

However most people would think it is a good thing, but the web will continue to evolve into abstracting the inner workings away from the user as it transitions into a simple consumer tool.

2
3
Silver badge

Re: search box / address bar

I wish I could upvote you again.

4
0
tfb

Re: search box / address bar

Well, google's browser is always going to do that: as far as it is possible they want everything you type to be a search so that get to see it. If you don't want that you need to use a browser which isn't Chrome (which you probably are doing).

It's also significant that this "show the domain part of the URL" thing is happening too late for many purposes: by the time you realise that the site you have just visited isn't where you thought it was it is very often too late: they've already seen you. What you need is for the domain to be obvious before the browser actually starts talking to the server, and (for instance) google search results don't seem to do that very well, which isn't actually very surprising I suppose. Of course, it can still, perhaps, save you from further trouble.

4
0
Silver badge

Re: people trying to get to a web site to type the address into the Google search box

Only started happening after Google introduced the feature in their search tool. Before that even the most clueless user LEARNED the difference.

Where's the icon GET OFF MY LAWN icon for us old farts?

3
0
Bronze badge

Re: pointless

It's difficult to overestimate how clueless STUPID the average user is.

FTFY!!!!

0
0
Silver badge

Re: pointless

>Yo and I might consider them a scam, but what defines that? The post office do the same thing, they will charge you to apply for an EHIC card because they also offer a "check and send service" the same as these companies.

The Post Office charge a modest fee for their trained staff to VALIDATE (not VERIFY) your passport application as you wait, so that obvious errors (unfilled fields, signitures beyond the boundry box, you resemble your photo etc) don't result in a delay of several days.

You are comparing that to Web Form Vs Web Form + £20?

Okaay....

>Your problem is you are labelling something as a scam, simply because you see no value in it, and wouldn't use it personally.

Ditto. And... I have a problem?

0
1
Bronze badge
Facepalm

Don't use Chrome?

2
0
Devil

...and lo 'n behold the rest of the browsers are to follow suit.

5
0
Joke

Hogswash --- I doubt very much that Lynx will ever do this.

3
0

Since i scan every url i "might" click looking for malformed urls that take me to advertisers or phishing sites i think it's a good move. You can read more about the way i scan urls at

http://www-theregister.co.uk/readallaboutit/

i think.

3
1
Bronze badge

Never click links for banks etc in emails

I have received some emails from my bank that are legitimate and then I've also received a lot of phishing emails claiming to be my bank. I treat them both the same and check all URLs by hovering over with the mouse. If, after that, I'm still uncertain I'll manually enter the website address in my browser. If there isn't anything relating to the email when I login then I'd assume it's a phishing email and forward it to the bank's phishing email address.

5
0
Silver badge
Thumb Up

Re: Never click links for banks etc in emails

Yes, couldn't agree more. Set your mail client display content in plain text too. It's much harder to hide iffy links that way.

6
0
Silver badge

@PaulR79 "Never click links for banks etc in emails"

Indeed. However, I would further. If my bank were to be so brain-dead as to send me an e-mail that required any kind of active action by me they would get the most tremendous rocket from me over the phone. In all fairness they have shown no signs of doing anything like that.

4
0
Bronze badge

Re: Never click links [snip] in emails

Security-by-mouseover

[a href="dodgy-site. com" onmouseover= "status.text='YourBank. com';"] visit YourBank. com [/a]

1
1
Bronze badge

Re: @PaulR79 "Never click links for banks etc in emails"

Banks do this all the time. Ever had a phone call from your bank that starts "I just need to ask you some security questions to confirm your identity"?

Also (in the UK) with the 3Dsecure standard. Notice the web address that you get redirected to is not your bank, or visa/mastercard, or the original site. Yep it's just a 'random' address with the word secure in it that you have to trust is not the site you were on trying to phish your information (or someone else inserting themselves in the middle).

When you look at the OTT requirements of the PCI standards and compare it with the insecure workings of the bank it makes you wonder if it's "one rule for them and one rule for the rest of us".

6
0
Silver badge

Re: @PaulR79 "Never click links for banks etc in emails"

I keep the login URLs to all web services along with the passwords; and always use my local link to get to the site. Makes me near-impossible to phish even if I'm not concentrating.

3
0
Silver badge

Re: Never click links for banks etc in emails

I don't even hover over the links. If they want me to do something, I either type it in myself or I use my locally stored bookmarks.

3
0

Page:

This topic is closed for new posts.