News
Computing Profession

A ­RLephant Emergency?

Posted
An elephant in the board room.
An elephant in the board room.
Long the "elephant in the room," a number of initiatives are seeking to address the issue of website identify and legitimacy.

One of the commonly accepted contextual meanings of the phrase "the elephant in the room" is that "the elephant" is a topic nobody wishes to discuss. So it may be with the prospects for supplying Internet users with tools that could better, more understandably indicate whether they were in danger of being exploited as they navigate online.

Google Chrome security engineer Emily Stark may have unintentionally opened the door to that quiet room in her presentation at January's Usenix Enigma conference. In a talk entitled "The URLephant in the Room," Stark outlined some of the ongoing issues with assuring a given website was legitimate or not. Overall, she said, the current state of website identity security is profoundly dysfunctional.

"Site identity on the Web is not a solved problem," Stark said. "In fact, I might even go so far as to say it's kind of an emergency, because our idea of how users understand site identity is completely and utterly broken."

Stark outlined several initiatives Google's Chrome security team are undertaking to address the issue, including the release of the open source TrickURI URL testing tool, to which Stark welcomed contributions from browser developers and security researchers elsewhere.

Stark's observations were seconded by several security experts.

"I agree with Emily's statement that site identity is an emergency problem," said Mark Nunnikhoven, vice president of cloud research at security vendor Trend Micro. "There's a significant disconnect between user expectation and reality."

"I definitely agree with Emily that site identity is a really difficult unsolved problem," said Joshua Franklin, president and co-founder of voting system security vendor OutStack Technologies.

However, both Nunnikhoven and Franklin said ascertaining URL identity was just one aspect of trying to solve site legitimacy recognition.

"This goes further than just URLs, but also extends to the domain name registry system, as well as security certificates," Nunnikhoven said, while Franklin added even more variables into the discussion.

"I would say different people have very reasonable disagreements on what site identity actually is," Franklin said. "Is it just the URL? Is it a combination of the URL and the IP address or the underlying hosting infrastructure? Because someone might use something like Akamai to very reasonably distribute the load of traffic coming to their website, and depending on how philosophical you want to get, they are accessing different versions of the website. So it is a legitimate question that we don't have an answer for."

Mum's The Word

Not only does the question lack an answer, but those who might be in the best position to lead or participate in a consensus effort to address site identity have reserved comment. Neither the Internet Engineering Task Force nor Mozilla Corp., developer of the Firefox browser, wished to comment for this story. The makers of the Opera browser did not reply to a request for comment, and Trend Micro's Nunnikhoven said a discussion including many points of view needs to happen.

"There's no easy solution to these issues, but the first step is getting the discussion started," Nunnikhoven said. "The Chrome team at Google has done a great job not only highlighting these issues, but also pushing forward potential solutions via the vast reach of their browser product. Unfortunately, we need a more diverse round of voices on the issues at hand. This can't be solved by the browser projects alone."

For instance, Nunnikhoven said, the proliferation of Top Level Domains (TLDs) in recent years has made it almost impossible for the average user to tell if a domain is from the organization to which they believe they have navigated, "Yet we still teach users this as a first line of defense against phishing.

"A more pragmatic approach is to use a strong email security gateway to check the URLs against a database of known bad destinations, have strong security scanning on the device visiting the URL, and to teach users to take additional steps to verify a destination if it asks you to take an action."

Franklin noted an example from his company's work in election security to illustrate how pernicious illegitimate URLs can be. In 2012, he said, they discovered a domain registered as democraticnationalcommittee.org purporting to represent the governing body of the Democratic Party in the U.S., was soliciting donations from site visitors. However, the actual URL of the Democratic National Committee is democrats.org.

"There wasn't anything malicious inside the actual URL," Franklin said, "so there was nothing weird or funky for the browser to make a decision on with the actual URL itself. That's a crazy hard problem."

Nibbling Around The Edges

Stark said "killing" or radically re-constructing the URL is not the intent of the Google research.

"We don't think URLs should change dramatically, or will ever go away under the hood of the Internet," she said in an email. "We want to help users understand site identity on the Web by making URLs as understandable as possible and supplementing them with additional security information when we can. People should know easily what site they're on, they shouldn't be confused into thinking they're on another site, and it shouldn't take advanced knowledge of how the Internet works to figure that out."

To the credit of the Chrome security team and colleagues elsewhere in the industry, tools such as TrickURI—which Stark said is intended for testing edge case URLs such as extra-long URLs, or those with right-to-left orientation, international domain names, or special characters—can help developers ensure they release legitimate code into the wild.

Google has published guidelines for URL display covering best practices and pitfalls for developers of URL user interfaces. Additionally, last year Microsoft launched a Chrome extension based on its own SmartScreen browser protection called Windows Defender Browser to help Chrome users avoid malware sites.

"If you click a malicious link in an email or navigate to a site designed to trick you into disclosing financial, personal, or other sensitive information, or a website that hosts malware, Windows Defender Browser Protection will check it against a constantly updated list of malicious URLs known to Microsoft," the tool's overview reads. "If the malicious link matches one on the list, Windows Defender Browser Protection will show a red warning screen letting you know that the Web page you are about to visit is known to be harmful, giving you a clear path back to safety with one click."

At the time the tool was released, security vendor Sophos explained on its Naked Security blog, "The simplest explanation of Microsoft's motivation for offering SmartScreen on Chrome is that it gives the company visibility on the bad stuff encountered by the 60% of the market that uses Chrome (Edge is around 4%). This, in turn, helps Microsoft's Office 365 Exchange email service offer better protection to compete with Google's rival G Suite."

Yet such tools beg the broader question of whether a more comprehensive—and persistent—community-wide discussion about site identity will emerge.

"The Internet is vast and names are rarely unique," Nunnikhoven said. "There's no easy solution to this issue, but the longer we ignore it, the worse the potential impact will be."

"Figuring out what site identity is, is going to potentially have Internet-wide consequences," Franklin said. "It's going to take some of the larger standards bodies to actually get involved."

However, Franklin cautioned, given the immensity of the task, Stark's presentation may not be the kick-off of something bigger after all.

"Even though the problem is large, the available pool of people to help contribute to solving it is essentially academics and a few people from large well-funded organizations. That is the way of research. You make a big splash with your initial presentation; a couple of news outlets contact you and you think you are solving all the problems in the world, then fewer and fewer people are interested in it over time—until you make another big update to it."

Gregory Goth is an Oakville, CT-based writer who specializes in science and technology.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More