Chrome to warn users about lookalike URLs
Google Chrome may soon warn users when they visit what Google calls lookalike URLs. Lookalike URLs is a loose term that describes site addresses that look very similar to the domain of an authoritative or popular site.
Google does not seem to distinguish between purpose when it comes to the definition of lookalike URLs; the Google Chrome feature displayed warnings or different types of URLs, e.g. URLs that were not registered but still look similar to popular URLs, but also when visiting URLs that are registered and load sites when accessed.
Phishing attacks, a common form of threats on the Internet designed to steal account credentials and other important data, use lookalike domain names often to make the attack -- posing as a different site -- more effective.
Chrome: Navigation suggestions for lookalike URLs
Chrome's algorithm determines whether URLs are potential lookalike URLs. The web browser displays a "did you mean to go to [URL]" notification at the top of the page if the algorithm determined that the visited URL is likely not the intended target of the user.
Isn't that what Chrome's phishing protection aims to do? Yes, and no. Phishing protection protects users against reported phishing sites while the new security feature against sites that are potentially dangerous.
The security feature is hidden behind a flag currently. The flag is available in all versions of Chrome that Google supports but it works only in Canary versions of the browser (maybe Dev as well, not tested).
Here is what you need to do to enable it:
- Load chrome://flags/#enable-lookalike-url-navigation-suggestions in the browser's address bar.
- Switch the status of the flag to Enabled (from default).
- Restart the Chrome web browser.
Chrome will display the "did you mean to go to" notifications when you visit a lookalike URL after the restart. Note that the browser does not catch all lookalike URLs but only select ones. Google is probably still working on the determination algorithm as it is not always clear why one URL is detected as a lookalike while another, very similar URL, is not.
Closing Words
The feature is experimental at the time of writing which means that Google may change it or remove it entirely in the future.The highlighting of lookalike URLs is mostly useful to inexperienced users in my opinion. It could prevent them from entering credentials and other important information on sites, and to interact with these lookalike sites provided that they act and don't ignore the message.
Now You: Is the lookalike URL warning a good thing?
That’s a very good security feature if it works correctly.
Hard to spot fake URLs (combined with some clever social engineering) are one of the most dangerous phishing avenues.
I used
chrome://site-engagement/
It was fascinating. On my tablet, which only I use, there are many websites which I have never visited. None of them look as though they are malicious, they are just ones that are obviously about topics in which I have no interest. Can anyone explain this? Also, over what period of time does this default to?
The data is cleared with browsing history.
All of those domains you see have definitely been actively visited with the browser.
What this Chrome feature does is locally comparing the urls you put into your browser with the ones you visited.
‘Chrome’s algorithm determines whether URLs are potential lookalike URLs…’
Where is the source of data used by this Google algorithm?
Are the URL’s ever sent to Google servers (like they are for ‘safe browsing’?)
Should the user connect to the unintended website then AFTERWORDS Google questions? (backwards)
Why not just use Google’s DNS lookup who already stores are URLs? (redundant)
When I’m unsure of a URL I ask Startpage or DuckDuckGo. They do the similar correction BEFORE me taking the risk going somewhere unintended. Notice many search engines embed the query in the URL (which Google can then store.)
Why not just ask trusty Facebook? /s
Safe Browsing does not send urls, except there’s a positive find.
Use both Pi-Hole & FF 51 or older where
the old legacy uBlock-Original still accepts many many serious blacklists that block all look-alike URL’s
Block all known e100 google networks at the firewall level and use software like an older version of NetLimiter that does not use google to look up Ip’s and URL connection history…I’m using 40.39 with the dark grey skin to enjoy my labor…I’ve also blocked all known ‘hwcdn’ and ‘mcast’ network IP’s as well
Am running extremely fast and quiet using a minimal amount of data on a 50 mile ship to shore repeater
Such funtionality should have a clear UI toggle, or be included in some option, like safe browsing one, since it clearly involves sending yout history to someone (Google?).
I agree with Yuliya.
Tho Finally the average Schlub can get a benefit from Google’s spying.
It appears to be local.
Go to chrome://site-engagement/, there you see your most visited sites. Those sites get an engagement score.
The lokalike url navigation suggestion algorithm is only triggered when a domain has such an engagement score.
Which probably means everytime you visit a never visited, suspicious doman that looks similar to a URL in your site engagement list, google will offer a warning.
Since site engagement data is entirely local, I guess the algorithm is, too.
https://www.chromium.org/developers/design-documents/site-engagement
Ah, then this is good news, as I use Chromium myself :)
By what logic do you think it sends your history to Google? Maybe it’s a local algorithm flagging up punycode addresses and suggesting what the URL should be with the punycode stripped away?
goo0gle dot com is not exploiting punycode.