
Google resumes its attack on the URL bar, hides full addresses on Chrome 86 - atriix
https://www.androidpolice.com/2020/08/13/google-resumes-its-senseless-attack-on-the-url-bar-hides-full-addresses-on-chrome-canary/
======
scott_s
Something I haven't seen anyone here bring up yet: many URLs _are_ meaningless
to humans past the domain. For an example, look at the top of this page. The
only semantic meaning in the URL for this post is `news.ycombinator.com`. The
rest, `item?id=24156986`, is meaningless to a human. (But, of course,
meaningful to HN's backend.) A lot of (most?) of the URLs on the web are not
_semantic_. They're naked application look-ups. I claim that for this current
page, there's no meaningful loss of information by just showing the domain.

But some URLs _are_ semantic. I think losing those would lose useful
information for human readers. If we could perfectly know which URLs have
useful semantic information for users and which don't, and then only present
those with full semantic meaning, I wouldn't mind much.

Main point: I see people saying things like "these designers think people are
too stupid to understand URLS." But that ignores that some URLs are not
actually meaningful to anyone.

Anticipated responses:

1\. You _are_ losing information by taking off the "application lookup" part:
the information that an application lookup was made. Fair enough. But I claim
it's a small loss.

2\. We can never perfectly separate out the URLs with useful semantic
information. Which, also probably true. But I think we can do a decent job,
and as long as the full URL is present when I mouse-over it, I probably
wouldn't object.

~~~
worble
>The rest, `item?id=24156986`, is meaningless to a human

Removing Url's is throwing the baby out with the bathwater though. Take Stack
Overflow for an example:

[https://stackoverflow.com/questions/53302536/vue-test-
utils-...](https://stackoverflow.com/questions/53302536/vue-test-utils-how-to-
test-a-router-push)

The only thing you need to actually get to the question is
[https://stackoverflow.com/questions/53302536](https://stackoverflow.com/questions/53302536),
but they _intentionally_ add an extra human readable section for laypeople.

If google actually cared about making the internet a better place, they would
simply rank human readable urls higher than non-human readable ones.

~~~
bzb4
That extra human readable section is not added for humans. It’s added for SEO.
That is, for Google.

~~~
rchaud
The URL structure is usually mirrored on the actual website by way of
clickable breadcrumbs or as navigational information architecture.

People understand slashes indicate folders and directories, even though
database-driven CMSes do not use folder structures. They can figure out that
they can go one level from from "example.com/cars/toyota" by removing the
"/toyota"

~~~
baby
I don’t agree with the breadcrumb mirroring. It’s orthogonal. You can have
breadcrumb or not and it wouldn’t matter to the user if it mirrors the url or
not.

------
donor20
Wow - top posts are conspiracy theories. "The only reason to do this..." "This
is a security issue..."

Google has millions / billions of users. From a security standpoint the focus
should be entirely on the root domain, that is the only really meaningful root
of trust.

If you are talking about a security issue - the KEY security issue is ANY lack
of clarity around root domain.

"Showing the full URL may detract from the parts of the URL that are more
important to making a security decision on a webpage." is a statement they
have around this change.

I think I agree - I suspect other browsers will have to copy chrome (again) in
de-emphasizing the leading URL (often used for fishing).

Folks seem to miss the fact that google chrome was a minor competitor
initially it IE - and their focus on things like ... security ... helped them
become absolutely dominant. A fair number of enterprises have (finally)
started slow slow switch to mandating chrome.

~~~
badwolf
My first thought when reading this was relief... For my mother.

I've spent most of my adult life trying to teach my parents to look at the
address bar to make sure they're on bankofamerica.com and not some random
phishing domain. That kind of falls apart though when it's...
bankofamerica.comm.phishingdom.com/{random filler}/bankofamerica/user/login

HN users are fantastic at thinking all technologies should revolve around
their niche use case.

~~~
dgb23
The root domain is highlighted in FF. This must be enough for visual testing.

If you want a more reliable approach then you need to work with a whitelist
and clear warnings.

~~~
summerlight
I wouldn't assert it without strong evidence. This URL comprehension problem
is probably more complex than what people usually think. There are a number of
studies about this issue, if you're interested.

[https://storage.googleapis.com/pub-tools-public-
publication-...](https://storage.googleapis.com/pub-tools-public-publication-
data/pdf/400599205ab5a1c9efa03e2a7c127eb8200bf288.pdf)
[https://kumarde.com/papers/urls.pdf](https://kumarde.com/papers/urls.pdf)

~~~
dgb23
Thank you for those! Side question:

I don't have a formal education in CS, but I really enjoy reading papers on
programming (languages), architecture, data-engineering and web related things
among others, especially when they have a practical focus/impact.

Is there a good way for me to find or rather discover resources like these?

~~~
automatoney
Not sure about filtering for practical focus/impact but
[https://arxiv.org/](https://arxiv.org/) is an amazingly useful and
informative repository of papers that you might like. Also google scholar is
good, but more general.

------
polote
The title is misleading and people don't read the article.

Chrome is not hiding the bar address, it is only showing the domain in normal
times, and showing the full url when you hover the bar

Personally I find it better for non technical people, because they can focus
on the domain only. For tech people you have the option to keep the full url
visible at all time, which fixes the issue.

As for people complaining about AMP, this is something different, which has
nothing to do with displaying only the domain, but instead "showing the real
domain when you are on a google AMP page"

~~~
sschueller
Sorry but if you can't teach non technical users new things they shouldn't be
100 meters near a computer.

It will result in even more technical dept and people with over confidence
thinking that they know what they are doing.

We don't need to idiot proof the world. We need to educate the idiots.

~~~
tbodt
Unfortunately this doesn't scale to a billion idiots

------
kats
They're just trying to prevent phishing. Remember when the DNC was hacked?

Employees at the DNC were linked to sites that looked exactly like the Google
sign-in page, except that the URL was "myaccount.google.com-
securitysettingpage.tk".

picture of the phishing website:

[https://security.stackexchange.com/questions/189688/does-
goo...](https://security.stackexchange.com/questions/189688/does-google-check-
for-unicode-characters-to-determine-spam-now-in-gmail)

From interviews, it seems like there's two features Chrome developers are
working on try to prevent these kinds of attacks. One is to hide the subdomain
so that people can't make such tricky looking URLs. Another is feature to
identify lookalike URLs and let users know about the anomaly.

sources:

[https://www.nytimes.com/interactive/2017/01/06/us/russian-
ha...](https://www.nytimes.com/interactive/2017/01/06/us/russian-hack-
evidence.html)

[https://p3isys.com/p3isys-tech-
blog/153-podestahack](https://p3isys.com/p3isys-tech-blog/153-podestahack)

[https://www.wired.com/story/google-chrome-kill-url-first-
ste...](https://www.wired.com/story/google-chrome-kill-url-first-steps/)

~~~
_ink_
How exactly does it help to prevent fishing from domains like my-google-
account.tk?

~~~
jkrems
(Disclaimer: Work at Google but not affiliated with our security team or with
Chrome.)

Those URLs have to actually contain the name of the brand in the thing that is
being registered with the domain registrar. Which is a _lot_ easier to find
and proactively shut down than things in subdomains which may only be visible
once a specific URL gets resolved (wildcards etc.).

------
AnonHP
I get emails from some banks with instructions to spot phishing. One of those
is to look at the full URL in emails or on websites to know if it’s authentic
or not.

For better or worse, the URL scheme is what we have to identify websites and
pages. Hiding that on larger screens doesn’t make much sense. It also hinders
learning for the next generation.

~~~
mkl
Actually, that's their argument for doing it. Most users don't understand the
different bits of a URL, to know whether it's from the site they think it's
from. See (huge) previous discussion from two months ago:
[https://news.ycombinator.com/item?id=23516088](https://news.ycombinator.com/item?id=23516088)

Personally, for my own purposes, I think hiding any bit of the URL is
incredibly inconvenient. Already hiding the www. is seriously annoying. I will
switch this new behaviour off and hope they don't remove that option.

~~~
aquova
If that's really their justification, then I wish they would take the approach
that Firefox does - show the full URL but have the domain name in white and
the rest of the URL in a muted color. It provides the full information as well
as highlighting the most important info for spotting a phishing scheme.

~~~
oefrha
> show the full URL but have the domain name in white and the rest of the URL
> in a muted color

Which is exactly what they do at the moment.

~~~
_underfl0w_
Meaning that the _need_ for the new hiding feature is... what, exactly?

~~~
untog
Presumably that a number of users still don’t get it and the value to the
remaining users is very small.

------
crazygringo
Remember folks, Apple has been doing this in Safari since 2014. And there's
been _zero_ uproar over it at all. I don't understand why people suddenly hate
this just because it's Google.

For most users, total focus on the domain name is a security _feature_. For
99% of users, what comes after the domain name might as well be gibberish. I
mean, it is a majority of the time.

~~~
GrinningFool
The first time I used Safari and didn't see a full URL was the last time I
used Safari. I didn't raise a fuss or take to twitter, I just stopped using
it. I'm probably not alone.

In addition, Safari has a very small slice of browser usage in the overall
scheme of things. I suspect the uproar would be just as vocal if their usage
numbers were in the range of Chrome's.

~~~
dieortin
You can enable the full bar though, instead of not using the browser
anymore...

~~~
GrinningFool
I could, but ... it's just a browser? If it doesn't behave the way I
[reasonably?] expect by default, I'll just get a different one.

------
dessant
When the final version is implemented in a couple of years you will no longer
see any URL, that way it won't be as evident that most sites on the web will
be loaded from Google.

Google is also attacking this issue from a different perspective with Signed
Exchanges [1][2], to fake the URL and ensure their success in becoming the
gatekeepers of the internet.

If you refuse to become a content provider for Google's vision of the web,
then they currently won't feature you at the top of search results in the Top
Stories carousel, and perhaps demote you entirely from the first page in the
future, depending on how their hijacking strategy works out.

[1]
[https://news.ycombinator.com/item?id=19678693](https://news.ycombinator.com/item?id=19678693)

[2] [https://www.iab.org/wp-content/IAB-
uploads/2019/06/mozilla.p...](https://www.iab.org/wp-content/IAB-
uploads/2019/06/mozilla.pdf)

~~~
est31
Yeah the endgame would involve a play-store like 30% cut of any revenue,
subscription, ads, anything. 30% cut from non-Google ad network revenue as
well. At that point publishers won't have a choice any more because of the
Chrome and Google search monopolies.

~~~
dessant
By that time it will be warranted to limit user freedom on the web to make
security and privacy accessible for everyone, just like Apple does today on
their devices. The scary open web and the meaning of a general purpose
computing device will be easily forgotten.

------
davidmurdoch
Jake Archibald (a Googler) presents some decent points on this on the HTTP 203
podcast: [https://youtu.be/0-wB1VY3Nrc](https://youtu.be/0-wB1VY3Nrc)

I still don't agree with the removal of URLs, but I do still recommend
watching the entire video if you want to get more perspective on the issue
(beyond just the conspiracy theories about AMP and control).

------
bambax
For now I'm quite happy to have finally switched to Firefox a few months ago.

If Firefox disappeared though, as it seems it might, that would be horribly
frustrating.

~~~
criley2
Firefox/Mozilla is largely funded with the search deal which is usually paid
by Google.

Google has a vested interest in Firefox staying alive for competitive/monopoly
reasons, especially now that IE is official a Chrome skin.

e.g.
[https://www.forbes.com/sites/barrycollins/2020/08/13/mozilla...](https://www.forbes.com/sites/barrycollins/2020/08/13/mozilla-
extends-critical-firefox-search-deal-with-google/#5bd73bdb6ea2)

~~~
distances
Wasn't the last days' layoffs direct consequence of that deal expiring later
this year?

~~~
NikolaeVarius
Nobody knows, since we dont know if the deal will renew

~~~
Ndymium
The deal has already been renewed:
[https://www.theregister.com/2020/08/14/mozilla_google_search...](https://www.theregister.com/2020/08/14/mozilla_google_search/)

~~~
hu3
> our source told us Moz will likely pocket $400m to $450m a year between now
> and 2023 from the arrangement

Why in hell did they lay off MDN, Rust/Servo and Dev Tools teams?

~~~
_underfl0w_
IIRC the supposed "burden" of lowering Cxx suite salaries played a non-
insignificant role.

------
simonkafan
I still haven't found a good answer why they do this. "Makes it harder to tell
if the current site is legitimate" sounds like an excuse. If you are the
perfect target for a phishing attack (= clicks on everything, enters passwords
everywhere, has no clue about host names) then you also won't be able to
understand what Chrome presents you in the address bar after obfuscation.

My best explanation so far is that the Chrome team doesn't know how to improve
their browser anymore so they just make up work to keep the software engineers
busy.

~~~
SifJar
I think the justification is that some people will think the website is
legitimate if a legit hostname appears anywhere in the URL e.g.

[http://scamsite.com/microsoft.com/phish](http://scamsite.com/microsoft.com/phish)

"looks" legit because it contains the string "microsoft.com" (and most
"regular" users won't appreciate the different parts of a URL); under the new
scheme, that would display only as "scamsite.com" and _hopefully_ people are
less likely to enter their microsoft username/password if "microsoft.com"
doesn't appear anywhere in the address bar.

I'm not overly convinced of this personally, but I think that's the supposed
idea behind it.

~~~
oneeyedpigeon
I think microsoft.scamsite.com would fool most of the people that
scamsite.com/microsoft would. It's a very difficult problem. Can't we have
something like certificates for domains, so we can at least trust the most
potentially vulnerable cases?

~~~
judge2020
If EV certificates were good they'd be great for showing alongside the URL,
but they're both expensive for most (used to be $100/yr if you go for the
cheapest vendor, now heavily discounted since the URL bar change made it lose
value) and the legal entity verification doesn't work in a sense that company
names aren't unique[0].

0:
[https://news.ycombinator.com/item?id=15904513](https://news.ycombinator.com/item?id=15904513)

~~~
tialaramex
They (EV certificates) also don't do as much as you probably think they do.
Or, I suppose, seen from a different angle, the actual dnsName matching does a
lot more than you realise.

When you visit news.ycombinator.com obviously the browser confirms that the
certificate presented is for news.ycombinator.com and not anything else.
Because the machine does dnsName matches and machines are fast, it happens
prior to every single transaction as necessary. In contrast EV information
like company name can only be checked by a human, slowly, after a transaction
already completed.

Suppose I hit this "reply" button to post this, but bad guys have just at that
moment intercepted my network connection. The browser connects to
news.ycombinator.com and... their certificate either isn't trustworthy or
isn't for news.ycombinator.com and so this text is never sent to the bad guys
at all.

But EV certificate details are only useful retrospectively. The browser can
tell me _after the fact_ that it posted the response to "Phishing Corp. Ha Ha
Ha We've Got Your Data Now" but it doesn't actually know that's the wrong
place so it won't abort the transaction.

For this and other reasons the entire EV design doesn't really "work" from a
security point of view, and wasn't ever really intended to. It's a marketing
idea, not a security idea.

------
khaledh
IMO this is the real reason why they're pushing hard towards this:

    
    
      However, it's also worth considering that making the web address less important, as this feature does, benefits Google as a company. Google's goal with Accelerated Mobile Pages (AMP) and similar technologies is to keep users on Google-hosted content as much as possible, and Chrome for Android already modifies the address bar on AMP pages to hide that the pages are hosted by Google.

~~~
bitexploder
We are going back to AOL days. That didn’t work out so well for AOL in the
long run. It’s kind of crazy to me you can’t do marketing now without at least
discussing Google and Facebook these days.

Edit: at least you knew you were the customer with AOL and paid them with
clear terms for access.

~~~
dmitryminkovsky
The only difference is that Google has endlessly more clout and depth than AOL
and my fear is that where AOL failed, Google may succeed.

With Firefox succumbing this week, this is pretty horrible.

I’m not a Richard Stallman type, but I think it’s come to the point where if
you have even the slightest pretense of being a “free web” person, using
Chrome or a Chromium-based browser has become unconscionable. This company is
playing embrace extend extinguish to a T and they are nearing the end game.

I switched to Firefox this year and so can you! Just download it, install it,
and then clear your Chrome history so it doesn’t feel like home anymore.
Firefox is really nice and I was surprised that I don’t miss Chrome at all
(except for the developer tools color picker).

~~~
brundolf
I've been using Firefox/Safari on my personal devices for a couple years now,
but as a web developer I unfortunately can't not use Chrome at work because of
its dev tools. I try to test on other browsers when I have time - I've always
made a point to push for supporting at least Firefox, as an organization - but
when I'm iterating I really just need the Chrome tools. Firefox's tools always
remained one or two steps behind, and now that they fired their dev tools team
I assume they won't even be doing that, soon.

The same goes for Google Search/DuckDuckGo. I use the latter on my personal
devices, but when I'm tracking down a problem at work I just need the thing
that's going to work the best.

~~~
dmitryminkovsky
I agree about DDG, but not dev tools.

I used to think they weren’t as good, but they are good. And I think I’m a
pretty serious dev tools user.

BUT, if you want to keep using Chrome dev tools that doesn’t mean you can’t
switch to FF. Just de-personalize Chrome (clear you history, sessions,
settings etc) and then you’ll stop using it. Say you’re developing and open a
new tab to search something on SO: you won’t be logged in on SO. Same goes
with any site. So you’ll instantly realize you’re using Chrome to browse and
hop over to FF instead.

Seems like a lot of work but it’s not. Maybe I drank the kool aid but I now
feel naked browsing with Chrome and try to avoid it as much as possible. I
think the important thing is to stop using Chrome for personal browsing.

~~~
_xoo
I disagree about DDG :). For work-related searches I'm really satisfied with
the results and I find answers quickly. I would even go as far as to say that
it works better for me than Google's search. I experienced it the other way
around. When using DDG for personal use or results about local things I often
tend to use the Google bang as Google has the better localized results.

------
cdmckay
Hasn’t Safari already been doing this for ages with no issues?

~~~
Flimm
Yes, it has been doing it for ages, both on macOS and iOS.

~~~
kergonath
Safari does something like this (showing the full url only when you select
it), and it can also be disabled in the settings.

It does not do anything like obfuscating where the document comes from, like
Chrome on Android does to hide the fact that they are serving AMP pages.

------
TedDoesntTalk
> “Showing the full URL may detract from the parts of the URL that are more
> important to making a security decision on a webpage," Chromium software
> engineer Livvie Lin said in a design document earlier this year.

I’m a software engineer, too, but I would never make such an important UX
decision because I know that is not my area of expertise.

I hope they’ve gotten significant user feedback on this before rolling it out.

Personally, I hate it.

~~~
solarengineer
I wonder if Livvie Lin and other Google engineers read such HN threads. What
might be their internal discussions, I wonder.

How do they justify such design decisions? Are they asked by someone else to
figure out how to make such wierd things happen as they just do as ordered?

~~~
avasthe
"Asked by marketing" or something like that.

Fucking suits spoil everything. Engineers are in general, more ethical than
suits.

~~~
mav3rick
Yes, marketing was obsessed with the URL bar all this while.

~~~
avasthe
Wrong logic. Marketing didn't see the opportunity to mislead people till now.

Although in this case, it can be all about further abstracting the URL detail
from end user, as I mentioned in another comment.

------
Santosh83
Vote with your choices (use a different browser). That's the only way to
address such behaviour. Yes, I know the 95% out there who don't even know what
a browser is but only know Chrome's icon gives access to the web won't
understand any of this and they will continue giving mega-corporations a
critical mass of unquestioning users to be used, but we have no other options.

We either express our voices, no matter if they're fringe (and hope it catches
on) or we can just give up and not even write these articles any more.

~~~
filleduchaos
> Yes, I know the 95% out there who don't even know what a browser is but only
> know Chrome's icon gives access to the web won't understand any of this

I find it fascinating how some people in tech bubbles think everyone else is a
stupid sheep who can't possibly understand such incredibly complex concepts
like what a "browser" is.

~~~
avasthe
Depends. I have seen a lot of people who don't understand such things. And I
have seen teachers who think using a different editor to write a program might
affect output.

~~~
mkr-hn
This expectation probably comes from seeing how even Word->Word can break
things. It's reasonable to try and develop a heuristic from that.

------
throwaway6288
This is why we should jump over to Firefox. Today! And by us I mean we who
know that this is a bad idea. Mozilla is suffering and this is our last chance
to not let Google and chrome have total dominance over the web. Mozilla copies
Chrome a lot, but they need more market share to be able to get a say here and
take the point of us power users.

I have been using and contributed to Firefox for years, and it is a great
browser!

Come on, we know better! Use Firefox or watch Google destroy the open web.
It's up to us!

Mozilla has flaws, yes, but this is important! That technical users continue
to use Chrome is beyond me.

~~~
hu3
Google renewed their deal [1] and Mozilla is still going to get 400-450mil per
year until 2023 at least. Yet they gutted firefox servo, devtools and MDN
teams.

Using Firefox from now on is just feeding the troll called Mozilla management.
We need to seek another open source privacy oriented browser or have a serious
foundation like Apache fork Firefox.

[1]
[https://www.theregister.com/2020/08/14/mozilla_google_search...](https://www.theregister.com/2020/08/14/mozilla_google_search/)

------
brianzelip
Stop using chrome. Use Firefox, [https://www.mozilla.org/en-
US/firefox/developer/](https://www.mozilla.org/en-US/firefox/developer/).

------
amiga-workbench
A nice side effect for them is that it makes it less obvious you are viewing
an AMP site.

~~~
Hamuko
Do they not have those AMP sites that are under a Google domain anymore?

~~~
brianush1
They hide the fact that it's a Google domain in Chrome.

------
rchaud
URLs are supposed to be human-readable because they're intended to signal to
users what the content is about.

What is not human-readable, although fully semantic, is all the parameter
trash that comes after full URL. Stuff like
"utm_source='twitter'&utm_medium='social_share" or cookie information and the
like.

I can understand trimming that information, but hiding the URL to show the
domain only makes no sense.

------
pkamb
The example url in the article is:

>
> [https://en.wikipedia.org/wiki/URL#Internationalized_URL](https://en.wikipedia.org/wiki/URL#Internationalized_URL)

which is shortened in the address bar to:

> en.wikipedia.org

at the VERY least, I wish they would instead use:

> en.wikipedia.org/wiki/URL

Same for Twitter and Reddit URLs, specifically. Don't hide the username or the
subreddit.

~~~
RonanTheGrey
Those are two examples where the URL is canonical and shouldn't be shortened.

There are probably many, many more. Very often the only place you can find the
date of a news story is in the URL due to them using some version of Wordpress
but not putting the date in the article past a certain age (F YOU, Guardian).

Google has clearly thought this through and decided that whatever they're
getting out of this is FAR MORE IMPORTANT than the best interests of their
users.

And that should make everyone suspicious.

------
smlckz
Sigh. Now browsers are as powerful as OSes. Why do you need OSes?

Address bars? People don't need them. Google should tell you which website
you're visiting is good or which is bad if they hide the address bar.

~~~
asimpletune
I’m not sure why this is being downvoted, this is an accurate albeit sardonic
description of what’s happening.

People don’t want to visit AMP sites, they want to visit the site that’s the
original source for their news, etc...

~~~
kergonath
The premise “browsers are as powerful as OSes” is dubious.

“Why do you need OSes” is something I would expect from someone who does not
know how a computer works.

Whilst they should probably be tweaked, address bars are central to the web as
it is currently.

Google should stay as far as possible from me and has no business telling me
it approves of the sites I am browsing.

I did not downvote the post, but there is no sentence in it that does not make
me regret having read it.

~~~
brianush1
I understood the "Why do you need OSes" as "Why would you use Windows when you
can use ChromeOS, since the only thing you'll ever need to open is Chrome"

And all of these opinions are obviously not held by the poster but are rather
what the poster believes Google wants.

~~~
kergonath
If it is sarcasm, it’s not great. These exact points are commonly made by
people who clearly take them seriously. These people are obnoxious enough,
there’s no need to reproduce their talking points.

My experience is that as much as some geeks love to go on about web apps, real
people still do more than browse the web on their computers.

~~~
smlckz
There's more ''consumers'' out there than ''real people''.

------
clairity
google is not attacking the url bar, it's attacking _dns_ , just like aol and
verisign (and others) before it. google wants to replace the decentralized dns
system with a centralized google lookup service, powered by their principle
competitive advantage, search. google wants to control the internet itself.

they're banking on the idea that the average user wants to type (or speak)
"macdonalds" and end up engaging with mcdonald's in some form. google wants to
be the gatekeepers of the whole internet, not just the browser. the browser is
small peanuts in comparison.

the simple narrative of this title/story is the kind of distraction we need to
see right through with large organizations everywhere, whether it be a
corporation, a government, or anything else. we the people must keep these
entities in check so that they serve the greater good for all of us, not just
the narrow and corrupt.

------
magicalist
The Chromium blog post (which points out that like Safari on the Mac there's a
setting now (not just a flag) to disable it):

[https://blog.chromium.org/2020/08/helping-people-spot-
spoofs...](https://blog.chromium.org/2020/08/helping-people-spot-spoofs-
url.html)

~~~
p1mrx
"Always show full URLs" is such a breath of fresh air. It eliminates all the
URL butchering (e.g. inconsistent hiding of http/https) that Chrome had been
doing for more than a decade.

Though I'm not seeing the option by default on a fresh install of Chrome 86;
hopefully that's just a rollout glitch.

~~~
RonanTheGrey
What would be even more honest is that when people first install that version,
they're asked what they want that setting to be.

It would be interesting to see the results.

------
wwwwwwwww
Switched to Vivaldi.

One click, and Vivaldi shows the _entire_ URL, as it should be, including
scheme and everything.

(Vivaldi browser was founded by employees of Opera, when Opera was sold to a
Chinese company. Vivaldi is owned entirely by it's employees)

------
avodonosov
Even today's protocol hiding is so inconvenient, who is making these
decisions, do the use computers regularly?

~~~
kmeisthax
The average user sees
[http://123.45.67.89/~sk/microsoft.com/techsupport](http://123.45.67.89/~sk/microsoft.com/techsupport)
as a legitimate Microsoft website. That's what this change is intended to fix:
users that see a domain in any part of the URL as being valid. They want to
change it to only show the part that's actually security relevant. If you tell
the average user "Look for Microsoft in the URL", and they find it in the
path, they're going to fall for a phishing scam.

~~~
RonanTheGrey
_HIDING_ the URL doesn't seem to be the most obvious solution to this, to me.

------
jasonjayr
There are a lot of comments about hiding the URL "because the user doesn't
understand" \-- has there been any research into user education directly in
the address bar?

Like, fresh install page points @ google.com. Why not A little browser popup
highlighting the parts of the URL and explaining it, with a link + tutorial on
how to understand parts of the URL?

Rather than dumbing the interface down, why not inform users so they can use
these platforms more effectively?

------
0xUser
If you like chromium ecosystem, I suggest trying the Vivaldi browser.
[https://vivaldi.com](https://vivaldi.com)

It won me over with (1) the ability to split the window into multiple tabs (2)
ability to turn any webpage into a side-bar "applet-thingy" \-- great for
having whatsapp, todoist, always on the side while you switch tabs.

It also has plenty of other features aimed at power-users.

~~~
_underfl0w_
Can confirm. Vivaldi is absolutely fantastic for the reasons you named, plus
its ability to use all common Chrome extensions such as uBlock Origin,
uMatrix, Dark Reader, etc.

------
benatkin
It's a problematic change, but is actually more usable. Now as a developer, I
don't have to worry about changing the URL too much, in order to enable deep
linking and the back button. I also don't have to worry about the unsightly
but useful query parameters on a search page. This should become the new
standard.

It's not like the mailboxes that the USPS is removing, ostensibly in response
to declining mail volume. The mail boxes weren't in the way. They were built
according to the city codes. Removing them before an election is all downside,
and no upside.

The path and query params in the URL are in the way. If you're making a page
that's a list of data that gets filtered, each time you change one of the
filters, and call replaceState when it changes, it would change the URL bar.
That's visual noise.

I used to be against this, because I'm against Google's overall agenda with
the web. I thought about it and couldn't deny the usefulness of being
consistent across mobile and desktop, and letting the URL change as frequently
as is useful from the developer perspective.

~~~
RonanTheGrey
> I don't have to worry about changing the URL too much, in order to enable
> deep linking and the back button. I also don't have to worry about the
> unsightly but useful query parameters on a search page. This should become
> the new standard.

I've been a web developer for both small and large companies for over 20 years
and can assure you I have never worried about such things.

This is a false flag.

~~~
benatkin
Currently I'm on
[https://news.ycombinator.com/reply?id=24161699&goto=item%3Fp...](https://news.ycombinator.com/reply?id=24161699&goto=item%3Fp%3D2%26id%3D24156986%2324161699)

Is that optimal?

Safari hides it on desktop now. Like I said I didn't want to admit it at
first, but it's better.

It would certainly be noticeable on mobile if they word wrapped the entire URL
so you could see it.

------
ehutch79
This has nothing to do with amp, and everything to do with users thinking
[http://printer001.cpalawyer.bz/mircosoftoneline.acutallogind...](http://printer001.cpalawyer.bz/mircosoftoneline.acutallogindomain.here/)
is a legit office 365 login page.

Not that they're going to notice that the url bar says something random
anyways.

------
dang
This article had a major thread two months ago:
[https://news.ycombinator.com/item?id=23516088](https://news.ycombinator.com/item?id=23516088).

It has been updated, apparently to mention an animation technique in the URL
bar of Chrome 86, but that's apparently not SNI
([https://hn.algolia.com/?query=%22significant%20new%20informa...](https://hn.algolia.com/?query=%22significant%20new%20information%22%20by%3Adang&dateRange=all&page=0&prefix=false&sort=byDate&type=comment))
since the discussion here isn't mentioning it. So I think we have to call this
on the dupe side. See also [https://hn.algolia.com/?query=follow-
up%20by%3Adang&dateRang...](https://hn.algolia.com/?query=follow-
up%20by%3Adang&dateRange=all&page=0&prefix=true&sort=byDate&type=comment) for
how we moderate these.

------
makecheck
I’ve wondered why we continue to display URLs as painfully-long single lines
of text. Tradition? Why is this helpful anymore? (e.g. On an iPhone it’s not
easy to edit the end of a URL.)

If it’s so damn hard to display full URLs on one line, let’s display them on
_several_ lines (at least after tapping on them), broken on dots to wrap.
Spaces aren’t valid in URLs anyway.

~~~
pkamb
I've thought about this as well. Tapping the URL bar on an iPhone should open
a multi-line wrapping text block that doesn't require painful horizontal
scrolling.

------
iamleppert
If URLs get hidden in such a way, developers are going to stop caring about
them. This is going to result in experiences like we get with apps like
Facebook, which doesn’t have any conceivable way to get back to certain
content. Think single page apps that never have any URL changes.

Of course the brass at Google is incredibly short sighted and clumsy in their
approach. All the good people at Google are gone and we’re left with the
dredges and it’s starting to show.

------
gitgud
Well it does make the host domain clearer which could making phishing attempts
harder.

But it must be weird when navigating around a website, while the url remains
static... ugh creepy

------
crazypython
One of my favorite macOS/iOS features is URLs. Most good native apps-- Things,
Drafts, DEVONThink, etc.-- support URLs. URLs such as `things://` and
`drafts://`. Some accept POST as well as GET.

There's even a specification of an iOS/macOS protocol very reminiscent of
webhooks. [http://x-callback-url.com/](http://x-callback-url.com/)

------
curiousllama
I wonder to what degree Google becoming increasingly a Walled Garden provides
an opportunity for a new type of search engine. Instead of having to grapple
with the breadth of services on the Internet, it grapples with the depth of
each Walled Garden - Apple, Google, WeChat, etc.

I simply can't imagine that any one platform, however large, can truly grapple
with the full range of use cases for the consumer internet.

------
binarray
If the domains were written from left to right / highest to lower level
(example: com.ycombinator.news/... or com/ycombinator/news/...), this
(particular) phishing problem would go away and there would be no reason to do
this.

Out of ignorance, any proposals were made to change the order of (writing)
domains levels? Or to create an alternative one (if that is even possible)?

------
alexmingoia
This is how Safari for iOS (and desktop?) has worked for a long time... the
domain is shown unless the URL field is selected. I like it.

------
baby
Omg. I believe safari does that and I freaking hate it. I see how it makes
every website act like an app, but these have real user values: you wouldn’t
design a folder explorer by hiding where you are in the tree. Oh wait,
actually that’s what macOS does already...

On the other hand, this is the default behavior on mobile browsers and it
doesn’t seem to disturb anyone.

------
dkdk8283
I often modify URLs when sharing with friends - stripping utm and other
parameters especially when sharing amazon links

My search terms are not relevant to sharing a product ASIN

It seems that Google may view the web browser as an engine that is trying to
reinvent native desktop apps. What’s old is new again just with some fancy
words and a new generation

------
pkamb
They should fix this bug first:

> Issue 1084406: Reappearance of "HTTPS://" causes URL text to move as you are
> selecting it

>
> [https://bugs.chromium.org/p/chromium/issues/detail?id=108440...](https://bugs.chromium.org/p/chromium/issues/detail?id=1084406)

~~~
p1mrx
The new "Always show full URLs" option fixes that, because http/https is
always visible.

------
stunt
I prefer what Firefox. Just keep the domain name black/highlighted and the
rest of URL gray.

But, for average user this might be more effective to detect phishing attacks
since they never check full URL anyway. (Unless when a website does something
stupid with query string parameters)

------
newbalance
Feel like this is similar to a future self-driving Google car depositing me at
my destination, but without telling me the address itself. We're here.

For me personally, this makes it official, I need to keep my guard up at all
times when using anything Google.

------
staticassertion
I don't believe this is an attack. It hides the full address, but you can
hover over it to see the whole thing, or even enable full addresses easily.

I believe this is legitimately done to improve UX for users who may be
phished. Tying this to AMP is a mistake.

~~~
RonanTheGrey
"Won't somebody please think of the children?!"

~~~
staticassertion
This is a really weak response. The post announcing the feature makes an
extremely strong case for why this is a good thing.

------
non-entity
The URL hiding thing is what finally pushed me to use Firefox full time last
year.

------
trishankkarthik
I was just thinking about this the other day: at the same time, they keep
adding weird, inscrutable nonsense at the end of every Google Search URL, so
what's the point of hiding the protocols and www and whatnot?

------
bobbydreamer
Naaa. They are making up space for ads and chrome extensions. URLs are
important, to the difference between a home page and other pages or will never
know if you are redirected.

------
rixtox
Hiding the full URL will redirect a lot of traffics back to Google's search
engine because people can't easily figure out the source from a screenshot
anymore.

~~~
Gibbon1
If google can get enough people to stop using url's then they can start
building a walled garden.

------
crawsome
This is why I use and support Firefox. It's so sad to see Mozilla doing so
badly right now when Google gets away with Evil.

------
apricot
This reminds me of that time when Microsoft started hiding file name
extensions from the user, because reasons.

------
swader999
This is about censorship and control. Just type in what you want and we'll get
what's best for you.

------
shadowgovt
This seems like a problem that is easily solved by ceasing to use Chrome.

How does the URL bar look in Firefox these days?

------
iamaziz
Great news! Can’t wait to use, Ive been trying to hide the whole address bar
altogether for so long

------
ComputerGuru
All of a sudden, I’m cheering for Microsoft’s decision to make Edgium
available for Linux.

------
treebornfrog
This is exactly why I forced myself to switch to FF quantum around 2 years
ago.

Chrome is going downhill.

------
jungletime
This is the same company that will selectively censor leaked information, as
election interference.

[https://techxplore.com/news/2020-08-facebook-google-
election...](https://techxplore.com/news/2020-08-facebook-google-election-
efforts.html)

At this rate, China will be a more free country.

------
causality0
I'm not going to use a browser that lies to me about what web page I'm on.

------
unixhero
Fuck. That means it ends my love affair with Chrome. I had such high hopes for
us.

------
DodgyEggplant
Mozilla move to cut so many people involved in an alt browser doesn't help

------
anm89
Couldn't be happier that I switched to firefox about a year ago.

------
ramosu
My life is much better with Firefox. I don't miss Chrome at all.

------
Wolfenstein98k
What are they gaining from this that possesses then to fight such consistent
opposition?

I don't see anyone stumping for this or any groups making any arguments for it
beyond aesthetics, which is nice but surely doesn't outweigh all the
vociferous opposition.

What gives? Cui bono?

------
eric4smith
I’m gonna go out on a limb here and say this might actually be a good thing
for people who are looking for domains.

But also a great thing for google as they are going to reinforce searching
instead of typing in a domain.

------
JulianVModesto
lol “attack,” your mobile browser already does this

------
exabrial
Don't cry when anti-trust nukes come Google.

------
monadic2
They're just BEGGING for an anti-trust suit.

------
atoav
I will from now on consider Chrome as a malware.

------
DSingularity
How do google engineers stand for this shit?

------
ariyadi
Apple has been doing it for a long time

------
known
First url shortner (goo.gl) now this;

------
laichzeit0
Stop using Google products. They are evil. Switch to duckduckgo and Firefox or
Brave and block all ads. Fuck these guys.

------
cryptonector
Please please stop this, Google.

------
wodenokoto
Is this different than safari?

------
mroche
Having looked at the intended design implementation, I'm not _super_ against
this change, but I'm not fully onboard. And the concept of AMP here isn't lost
on me, either.

I understand the stated goal of this is for simplicity for users and enhancing
generic security. I feel Firefox already does this better. Let's take the
following URL for example:

[https://code.visualstudio.com/docs/](https://code.visualstudio.com/docs/)

On my work MBP with FF 79 and GC 81, this is what I see ([] signifies
contrasted text color):

Firefox:
[https://code.[visualstudio.com]/docs/](https://code.\[visualstudio.com\]/docs/)

Chrome: [code.visualstudio.com]/docs/

Chrome (after clicking twice in the address bar:
[https://[code.visualstudio.com]/docs/](https://\[code.visualstudio.com\]/docs/)

Chrome 86 (uses above formatting on hover): code.visualstudio.com

In both apps, the dark themes provide more contrast that the light ones. I
don't think we need to hide URL's from users, because what really matters is
the very beginning of the URL which is always shown, and noting the root
domain in a more contrasted, apparent way (like Firefox does) is to me a
better solution to this problem. Spending time to improve the appearance of
the important part of the URL will help everyone in the end, rather than
taking the easy road of just isolating it.

Time would be better spent on solving horrible looking URLs in the first place
and how URLs get represented in sharing (e.g. email clients, SMS, etc), which
is where arguable most visual URL security concerns take place. If anything, I
think I'm less likely to trust a URL like this (a simple Google search for
"example url") when taking a glance in an email (removed https so full URL
would show):

"://www.google.com/search?source=hp&ei=IJ82X6DoINCJytMP75Cn6As&q=example+url&oq=example+url&gs_lcp=CgZwc3ktYWIQAzICCAAyAggAMgIIADICCAAyAggAMgIIADICCAAyAggAMgIIADICCAA6CAgAELEDEIMBOgUIABCxAzoCCC46CwguELEDEMcBEKMCOgUILhCxAzoECAAQCjoLCC4QsQMQxwEQrwE6CggAELEDEEYQ-
QFQkDJYxEdg3khoAnAAeAGAAbsBiAHBBpIBBDEyLjGYAQCgAQGqAQdnd3Mtd2l6&sclient=psy-
ab&ved=0ahUKEwig-Nis85rrAhXQhHIEHW_ICb0Q4dUDCAg&uact=5"

than "://www.google.com/search?query=example+url"

If on mobile, go into landscape for the larger URL, unless there’s a better
way to format it I’m not aware of. Didn’t think a code block was best for a
massive oneliner.

A possible middle ground could be taking a look at limiting token visibility.
But a larger discussion would be needed for that as well.

------
butz
And that's why we need more competing browsers, not built from chromium
source.

------
thrownaway954
so... is this a chromium thing or a chrome thing? if it is just exclusive to
chrome, then maybe it's time to finally give the new microsoft edge a try.

~~~
Wowfunhappy
The official build of Chromium tracks Google Chrome quite closely, so I feel
confident assuming that the change is there as well, even though I haven't
checked. But since Chromium is open source, I'm not sure anyone can really
answer that question. Whether the change is in Microsoft Edge depends on how
far Microsoft is willing to diverge from mainline (and where specifically they
want to spend their resources).

------
sheinsheish
Don’t use it :)

------
thepete2
we're getting there [0]

[0] [https://xkcd.com/2105/](https://xkcd.com/2105/)

------
draw_down
Really wish they would stop trying to do this.

~~~
asimpletune
It’s sort of surreal to feel so disenfranchised about it too. Like, no one
wants this, I’m sure they know that, but they just don’t care.

~~~
Liquix
They know that no matter what they do they're too big to be stopped. We cannot
rely on on any of the five eyes governments to break their monopoly because
their data collection programs are of immense value to these nations. If they
ever are broken up, it'll be a 30 year smoke and mirrors campaign like when we
'broke up' Ma Bell [0]. Disenfranchised is right.

[0] [https://external-
content.duckduckgo.com/iu/?u=https%3A%2F%2F...](https://external-
content.duckduckgo.com/iu/?u=https%3A%2F%2Fcdn.vox-
cdn.com%2Fthumbor%2FrdfoBiH9qvDVtnW9-lwvPOOLN7U%3D%2F0x202%3A2376x1539%2F1600x900%2Fcdn.vox-
cdn.com%2Fuploads%2Fchorus_image%2Fimage%2F51495523%2FScreen_20Shot_202016-10-24_20at_202.21.23_20PM.0.png&f=1&nofb=1)

------
rbinv
Pushing Google one step closer to becoming Alphabet's AOL. Instagram and
friends must be stealing quite some traffic and ad revenue.

