The feature has been in the works for quite some time at Google and is a response to the practice of using typosquatted domains or IDN homograph attacks to lure users on websites they didn’t intend to access.
For example, crooks often register misspelt versions of popular domains, such as paypall.com, or they’d use domains with Unicode characters like coịnbạse.com to host phishing pages and steal users’ credentials.
But since the release of Chrome Canary 70, Google engineers have been testing a new feature called “Navigation suggestions for lookalike URLs.”
In Chrome Canary distributions –Google Chrome’s testing ground for new features– users can access the following URL to enable the feature:
Once enabled, this new mechanism will show a dropdown panel under the Chrome address bar, asking the user if he really meant to type and access that URL, which Chrome deemed dangerous due to its close resemblance with a more legitimate site.
This Chrome flag is also present in the stable version of Chrome, but in our tests, it failed to detect the same URLs that Canary picked up, meaning Google engineers are still fine-tuning their lookalike URL detection system before its official release.
It is unclear when this feature will officially ship, but it must be really close to being finalized, seeing that a Google Chrome engineer gave a presentation about it yesterday, January 29, at the USENIX Enigma conference held in the US.