{"id":7306,"date":"2018-09-05T14:50:09","date_gmt":"2018-09-05T18:50:09","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=7306"},"modified":"2020-08-25T11:47:54","modified_gmt":"2020-08-25T15:47:54","slug":"googles-plan-to-kill-the-url-is-a-golden-opportunity-for-certificate-authorities","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/googles-plan-to-kill-the-url-is-a-golden-opportunity-for-certificate-authorities\/","title":{"rendered":"Google\u2019s plan to kill the URL is a golden opportunity for Certificate Authorities"},"content":{"rendered":"<h2>Who is better equipped to assist in authenticating website identity than CAs?<\/h2>\n<p>Google wants to kill the URL. <a href=\"https:\/\/www.wired.com\/story\/google-wants-to-kill-the-url\/\" target=\"_blank\" rel=\"noopener noreferrer\">That\u2019s the headline from Wired<\/a>. As Google Chrome turns 10 and looks to the future, its next target will be Uniform Resource Locators, or URLs.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignright size-medium wp-image-7310\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/09\/bigstock-Www-Internet-Icon-Favicon-With-226211749-300x300.jpg\" alt=\"Google\u2019s plan to kill the URL is a golden opportunity for certificate authorities\" width=\"300\" height=\"300\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/09\/bigstock-Www-Internet-Icon-Favicon-With-226211749-300x300.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/09\/bigstock-Www-Internet-Icon-Favicon-With-226211749-768x768.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/09\/bigstock-Www-Internet-Icon-Favicon-With-226211749-1024x1024.jpg 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/09\/bigstock-Www-Internet-Icon-Favicon-With-226211749.jpg 1600w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/>Most people just know URLs as web addresses. The term URL is actually a bit of a misnomer because in this context we are referring to a very specific kind of URL. Typically a URL is used in conjunction with a website, but they can also be used for file transfer, email and database access.<\/p>\n<p>On a technical level, URLs are associated with IP addresses. Generally people are familiar with IPv4 addresses, they look something like this:<\/p>\n<pre>97.76.174.114.<\/pre>\n<p>But remembering a string of numbers (or something even more complicated in the case of IPv6) for every website you want to visit would be prohibitively difficult for all but the most precise of memories. So in 1994, the inventor of the world wide web, <span style=\"text-decoration: line-through;\">Al Gore<\/span> Tim Berners-Lee defined URLs in <a href=\"https:\/\/tools.ietf.org\/html\/rfc1738\" target=\"_blank\" rel=\"noopener noreferrer\">RFC 1738<\/a>. We have used them to navigate the internet ever since.<\/p>\n<p>So why does Google want to kill the URL and why is this a major opportunity for certification authorities?<\/p>\n<p>Let&#8217;s hash it out&#8230;<span id=\"newline\"><\/span><\/p>\n<span style=\"--tl-form-height-m:150.25px;--tl-form-height-t:121.4583px;--tl-form-height-d:121.4583px;\" class=\"tl-placeholder-f-type-shortcode_12753 tl-preload-form\"><span><\/span><\/span>\n<h2>Why does Google want to kill the URL?<\/h2>\n<p>The average internet user <a href=\"https:\/\/www.thesslstore.com\/blog\/report-70-us-employees-lack-strong-knowledge-privacy-security-best-practices\/\" target=\"_blank\" rel=\"noopener noreferrer\">does not know a whole lot about web security<\/a> or what to look for when visiting a website. We are keenly aware of this because every week nearly 5,000 people read our <a href=\"https:\/\/www.thesslstore.com\/blog\/5-ways-to-determine-if-a-website-is-fake-fraudulent-or-a-scam\/\" target=\"_blank\" rel=\"noopener noreferrer\">guide on how to spot a fake website<\/a>. So, asking users to know what to look for within the URL itself is not going to yield good results.<\/p>\n<p>In fact, just <a href=\"https:\/\/www.thesslstore.com\/blog\/eliding\/\" target=\"_blank\" rel=\"noopener noreferrer\">displaying the URL<\/a> is a problem for browsers, <a href=\"https:\/\/www.thesslstore.com\/blog\/eliding-and-origin-ui\/\" target=\"_blank\" rel=\"noopener noreferrer\">especially with their mobile versions<\/a>.<\/p>\n<p><em><strong>RELATED: <\/strong><\/em><a href=\"https:\/\/www.thesslstore.com\/blog\/ios-origin-display\/\" target=\"_blank\" rel=\"noopener noreferrer\"><em>How popular iOS apps display URLs<\/em><\/a><\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/eric-lawrence-08522b38\/\" target=\"_blank\" rel=\"noopener noreferrer\">Eric Lawrence<\/a>, a former Googler currently in his second stint with Microsoft, has written about a concept that is extremely informative when trying to understand browser security and where Google is coming from on this. It\u2019s called the <a href=\"https:\/\/textslashplain.com\/2017\/01\/14\/the-line-of-death\/\" target=\"_blank\" rel=\"noopener noreferrer\">line of death<\/a>. The idea is this: the browser can only control the top of the window, none of the pixels below the so-called line of death can be trusted.<\/p>\n<blockquote><p>If a user trusts pixels above the line of death, the thinking goes, they\u2019ll be safe, but if they can be convinced to trust the pixels below the line, they\u2019re gonna die.<\/p><\/blockquote>\n<p>One of the things that Lawrence, the browser community as a whole and specifically Google have realized though is that some (for lack of a better term) attacker data does make it above the line of death.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-7307 size-full\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/09\/Line-of-Death.png\" alt=\"Example Domain\" width=\"720\" height=\"293\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/09\/Line-of-Death.png 720w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/09\/Line-of-Death-300x122.png 300w\" sizes=\"auto, (max-width: 720px) 100vw, 720px\" \/><\/p>\n<p>The web page\u2019s title and icon (1) are controlled by the website itself. But the more problematic area is the address bar. As we already covered, people really don\u2019t understand URLs. And hackers and cyber criminals are <a href=\"https:\/\/www.thesslstore.com\/blog\/unicode-domain-phishing\/\" target=\"_blank\" rel=\"noopener noreferrer\">acutely aware of this<\/a> and <a href=\"https:\/\/www.thesslstore.com\/blog\/gone-phishing\/\" target=\"_blank\" rel=\"noopener noreferrer\">use it to their advantage on a near constant basis<\/a>.<\/p>\n<p>This is an example of a URL:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-7308\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/09\/url-tss.jpg\" alt=\"Google\u2019s plan to kill the URL is a golden opportunity for certification authorities\" width=\"1192\" height=\"171\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/09\/url-tss.jpg 1192w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/09\/url-tss-300x43.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/09\/url-tss-768x110.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/09\/url-tss-1024x147.jpg 1024w\" sizes=\"auto, (max-width: 1192px) 100vw, 1192px\" \/><\/p>\n<p>Ideally, people could look at the domain itself and get a sense of website identity. But again, as we mentioned earlier, the reality is that browsers can\u2019t rely on their users to discern a legitimate URL from a fake one.<\/p>\n<p>Website identity continues to be a major issue.<\/p>\n<blockquote><p>&#8220;People have a really hard time understanding URLs,&#8221; <a href=\"https:\/\/www.wired.com\/story\/google-wants-to-kill-the-url\/\" target=\"_blank\" rel=\"noopener noreferrer\">Adrienne Porter Felt, Chrome&#8217;s engineering manager told Wired<\/a>. &#8220;They\u2019re hard to read, it\u2019s hard to know which part of them is supposed to be trusted, and in general I don\u2019t think URLs are working as a good way to convey site identity. So we want to move toward a place where web identity is understandable by everyone\u2014they know who they\u2019re talking to when they\u2019re using a website and they can reason about whether they can trust them. But this will mean big changes in how and when Chrome displays URLs. We want to challenge how URLs should be displayed and question it as we\u2019re figuring out the right way to convey identity.&#8221;<\/p><\/blockquote>\n<h2>Google doesn\u2019t have any idea what to replace URLs with<\/h2>\n<p>The problem Google is facing is that it doesn\u2019t exactly have a URL replacement handy. It knows a change needs to be made but it doesn\u2019t know what that change should be.<\/p>\n<p>Right now Google says its main focus is just identifying all the ways people use URLs.<\/p>\n<p>Eventually, the idea will be to replace the URL with something that is not only more user-friendly, but that also enhances security and provides authenticated website identity information.<\/p>\n<blockquote><p>&#8220;I don\u2019t know what this will look like, because it\u2019s an active discussion in the team right now,&#8221; <a href=\"https:\/\/www.wired.com\/story\/google-wants-to-kill-the-url\/\" target=\"_blank\" rel=\"noopener noreferrer\">said Parisa Tabriz<\/a>, the director of engineering at Chrome. &#8220;But I do know that whatever we propose is going to be controversial. That\u2019s one of the challenges with a really old and open and sprawling platform. Change will be controversial whatever form it takes. But it\u2019s important we do something, because everyone is unsatisfied by URLs. They kind of suck.&#8221;<\/p><\/blockquote>\n<p>This is not the first time Google has tried something like this. Back in 2014 it briefly tried to replace URLs with \u201c<a href=\"https:\/\/www.cnet.com\/news\/google-test-hides-web-addresses-in-chrome\/\" target=\"_blank\" rel=\"noopener noreferrer\">origin chips<\/a>\u201d that only displayed the domain name. But it paused on that before it ever got to an official release because of push-back from users.<\/p>\n<p>Lately Google&#8217;s initiatives to change the web have gone a little more smoothly, as evidence by its <a href=\"https:\/\/www.thesslstore.com\/blog\/google-chrome-68-https-mandatory\/\" target=\"_blank\" rel=\"noopener noreferrer\">push to mandate HTTPS<\/a> earlier this year. And even before announcing its intentions, Google was already tinkering with URLs. It announced plans to <a href=\"https:\/\/www.thesslstore.com\/blog\/google-will-remove-the-secure-indicator-in-september\/\" target=\"_blank\" rel=\"noopener noreferrer\">phase out showing the protocol at the beginning of the URL with Chrome 69<\/a>, which is literally being rolled out to its users as you read this.<\/p>\n<p>Per Porter Felt, Google plans to speak publicly about its plans to further deprecate the URL either this Fall or next Spring.<\/p>\n<h2>Google\u2019s plan to kill the URL is a golden opportunity for certification authorities<\/h2>\n<p>At the heart of any changes to the use of URLs will be the need to assert <a href=\"https:\/\/www.thesslstore.com\/blog\/london-protocol\/\" target=\"_blank\" rel=\"noopener noreferrer\">website identity<\/a>. This has never been more crucial than it is right now with <a href=\"https:\/\/www.thesslstore.com\/blog\/1-4-million-new-phishing-websites-created-every-month\/\" target=\"_blank\" rel=\"noopener noreferrer\">phishing at an all-time high<\/a> and a range of malicious actors using <a href=\"https:\/\/www.thesslstore.com\/blog\/study-effective-phishing-emails-create-sense-urgency\/\" target=\"_blank\" rel=\"noopener noreferrer\">social engineering to phish<\/a> and defraud internet users.<\/p>\n<p>Perhaps no industry is better suited to assist in authenticating various identities \u2013 end entity ID, machine ID, website ID, corporate ID \u2013 than the Certificate Authorities that issue digital certificates.<\/p>\n<p>There has already been a push to <strong>decouple business authentication from SSL<\/strong>, the thinking being that SSL\/TLS serves its function as a security mechanism but struggles with the authentication aspects. This would be the perfect opportunity to fix that.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-medium wp-image-7311\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/09\/bigstock-Id-Card-Vector-Icon-On-White-B-241248778-300x300.jpg\" alt=\"Google\u2019s plan to kill the URL is a golden opportunity for certificate authorities\" width=\"300\" height=\"300\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/09\/bigstock-Id-Card-Vector-Icon-On-White-B-241248778-300x300.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/09\/bigstock-Id-Card-Vector-Icon-On-White-B-241248778-768x768.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/09\/bigstock-Id-Card-Vector-Icon-On-White-B-241248778-1024x1024.jpg 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/09\/bigstock-Id-Card-Vector-Icon-On-White-B-241248778.jpg 1600w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/>CAs already have the infrastructure built out to validate businesses and other entities, helping them to assert their corporate and web identities.<\/p>\n<p>Let\u2019s put that to use finding a replacement for URLs that can both enhance security while also helping businesses and organizations assert their identity in a way that is unmistakable to internet users.<\/p>\n<p>Obviously, not every website would need extensive authentication, but there are myriad businesses and other organizations that could make ample use of a mechanism that more visibly confirms their identity to its customers or users.<\/p>\n<p>Authenticating identities is probably not something most of the browser community would want to take responsibility for. While Microsoft, Apple and Google all have the resources to do it, putting together that kind of apparatus would take considerable time. It also seems fairly out of scope for all three corporations.<\/p>\n<p>No, authentication would need to be outsourced, and the CA industry is in perfect position to step into that role.<\/p>\n<p>There would still be a lot of work that needs to be done. Regardless of whether it\u2019s decoupled from SSL\/TLS or not, Extended Validation needs to be strengthened. And we would need to find a way to display the information that avoids name collisions or confusion over which entity you\u2019re transacting with. But this is a golden opportunity for certificate authorities to realize a new future where identity continues to exist at the core of everything we do.<\/p>\n<p>The future may be calling, now it&#8217;s time to figure out if we&#8217;re ready to answer.<\/p>\n<p><em>As always, leave any comments or questions below&#8230;<\/em><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-7276\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568.jpg\" alt=\"Hashed Out by The SSL Store is the voice of record in the SSL\/TLS industry.\" width=\"1559\" height=\"407\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568.jpg 1559w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-300x78.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-768x200.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-1024x267.jpg 1024w\" sizes=\"auto, (max-width: 1559px) 100vw, 1559px\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Who is better equipped to assist in authenticating website identity than CAs? Google wants to kill the URL. That\u2019s the headline from Wired. As Google Chrome turns 10 and looks&#8230;<\/p>\n","protected":false},"author":6,"featured_media":7309,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[17],"tags":[164,1018,131,1019],"class_list":["post-7306","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-industry-lowdown","tag-certificate-authorities","tag-eliding","tag-google","tag-urls","post-with-tags"],"views":23333,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/09\/bigstock-Search-Bar-With-Www-Text-Web-226570972.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/7306","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=7306"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/7306\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/7309"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=7306"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=7306"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=7306"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}