Chrome 76: no more https or www in address bar
Google Chrome users who upgraded the stable version of the web browser to the recently released Chrome 76 version may have noticed that Chrome does not display https or www anymore in the browser's address bar.
Google made the change in 2018 for the first time when it released Chrome 69 but had to undo it after user outcry over the removed feature. Back then, Google decided to remove what it called trivial subdomains like www. or m. to display only the root domain in the address bar; this led to issues on sites that supported several of the trivial subdomains as it was no longer possible to look at the address to verify the active site.
Google called these subdomains trivial because it believed that most Internet users would not require the information.
Google did state back then that it would remove certain trivial subdomains again at a later point in time. It appears that the time has come, as Chrome 76 hides the www part of the domain name and the https:// protocol information from its address bar.
Check out how the Ghacks homepage URL is displayed in Google Chrome 76:
Chrome stripped https://www. from the address leaving just ghacks.net in the address bar. The lock icon does indicate that the site uses HTTPS but Google plans to remove it as well in the future.
You may wonder why Google decided to make the change. Google engineer Emily Schechter revealed Google's intention on the official Chromium bug page.
The Chrome team values the simplicity, usability, and security of UI surfaces. To make URLs easier to read and understand, and to remove distractions from the registrable domain, we will hide URL components that are irrelevant to most Chrome users. We plan to hide “https†scheme and special-case subdomain “www†in Chrome omnibox on desktop and Android in M76.
According to the post, Google believes that certain parts of the URL are distracting and irrelevant to most Chrome users.
Chrome users need to click twice in the URL bar to display the full address of the page. It is unclear why Google believes that clicking twice and not once is right when it comes to that but that is far from the only issue that users may experience once they upgrade to Chrome 76.
Users who try to copy just the domain part of an address will notice that Chrome adds the protocol and www. if used to the copied address automatically. There is no option to prevent this from happening right now; users who just want the domain need to process the copied text before they may use it as intended.
Another issue that users may run into is when a site uses www exclusively. Chrome displays the domain without www only and some users may try to load the domain without www as a consequence in the future. If there is no redirect, Chrome will display a 404 not found error instead.
It is too early to tell if companies who use Chromium as the source for browsers will follow Google's lead. Browsers like Microsoft Edge, Opera, Brave, or Vivaldi all use Chromium and if developers don't make changes to the source code, will follow Chrome in displaying less information in the address bar.
Chrome 76 supports two experimental flags currently that reverts the change. These flags will be removed eventually from Chrome, however.
- Load chrome://flags/#omnibox-ui-hide-steady-state-url-scheme and set the state to Disabled to always display the URL scheme, e.g. HTTPS, in the Chrome address bar.
- Load chrome://flags/#omnibox-ui-hide-steady-state-url-trivial-subdomains and set the state to disabled to display trivial subdomains all the time.
- Restart Google Chrome.
Closing Words
As far as I'm concerned, I prefer if browser's display all information and both the protocol and the www subdomain are vital parts of the address and should not be hidden; especially so if the hiding may lead to confusion or problems.
Google seems intent to go forward with the change on desktop and on Android. Unless there is an equally large outcry about the change, it is unlikely that Google will revert it for a second time.
I think that Google is just starting with pushing certain changes in Chrome and most of the web, and not all of them are in the best interest of Internet users.
Now You: What is your take on the change? (via Bleeping Computer)
If you have Gogle’s Suspicious Site Reporter extension installed, Chrome will show the full address.
https://chrome.google.com/webstore/detail/suspicious-site-reporter/jknemblkbdhdcpllfgbfekkdciegfboi
Google can do this on mobile but screw them for doing this on desktop.
One of the first things i change in about:config in a new Firefox install is i change browser.urlbar.trimURLs to False…..
If Google is doing this, you can bet it’s for a nefarious purpose.
I hope that there are some really good software white-hat folks out there who can get to the bottom of this and sniff out the REAL reason this is being implemented.
We ALL know it’s NOT for anything “good”. At best, it’s grooming people to accept less and less security and transparency. I cannot understand how most people just fall onto their backs and take that screwing with no push-back. Christ.
FF & DDG + Protonmail is about as good as it gets right now. And THAT, is still riding on top of Intel & AMD’s built-in minix backdoor written to their CPU’s. Is there any such thing as complete privacy any more? The sociopaths are definitely in charge, and I’m frightened for my children’s futures. :'(
Nice post. FYI…the past participle of “lead” is “led”, not “lead”. ;-)
This change is bad. To me it is a security issue. Everything should be displayed in full, like the address, so users can realy check if they are were they are supposed to be. And if not themselves, then someone (like me) that helps users with less knowledge.
How could this change pass Googles security checks? Also the very bad thing that the addressbar (or omnibox as the seems to prefere) is used for searches. What less gifted persons idea was that? Now users can get more confused and security again takes a back seat. Why is this a security consern? When you move the search entry to the addressbar, you let users get used to there being other things in the addressbar than simply the address they are visiting. So if they see something that looks strange, like a wierd address, they will more likely think “oh well, my webbrowser si doing something again, I just continue to ignore it like i’ve done before.”
Pretty sure that the second click in the omnibox to reveal the fully-qualified URI was to maintain the first-click feature of auto-selecting the entire address for immediate keyboard replacement by the user. A second click signifies that the user intends to actually edit the URL, and so the fully-qualified URI is brought into view, and the caret position set to the end of the string, for that purpose.
“As far as I’m concerned, I prefer if browser’s display all information and both the protocol and the www subdomain are vital parts of the address and should not be hidden; especially so if the hiding may lead to confusion or problems.”
TOTALLY AGREE.
Finally! The http/https part of a url is just redundant and only serves as visual noise.
It is no longer necessary as Chrome simply displays a lock icon instead, so you already know the site is using an encrypted connection.
As for the “www” portion of the url, I can see how people could need access to that so maybe that’s something Chrome should revert back to. I notice that currently, only the “www” portion is hidden, but other subdomains like “en” on Wikipedia are still displayed.
That’s why I think www should be displayed too but I also realize that for the overwhelming majority of sites, something.com and http://www.something.com just point to the same thing, with something.com usually just redirecting to www, so I can see why they made the change for readability purposes.
Also, for people who may not have noticed this, if you click once in the url bar and then click a second time, it displays the entire url for you, complete with the http/https portion.
@Anonee: “It is no longer necessary as Chrome simply displays a lock icon instead, so you already know the site is using an encrypted connection.”
No, you don’t. You can be using https and still not get the lock icon.
Hate this. It sounds like Chrome engineers are patronizing users. “We know best- shut up and use this”. I prefer to use Firefox and Vivaldi
About you mentioning other Chromium based browsers: in the latest version of Brave ( and maybe earlier ones as well) it is exactly the same.
I don’t care about the vocal minority posting here. Well done Google, you finally got rid of them. This is one of the things I love about Opera. Finally we can get rid of them in Chrome too.
@AlEx:
I am genuinely curious — why do you think that having the browser hide important information, and lie to you about other important information, is a good thing? What benefit do you get from this?
@John Fenderson:
Less clutter to the eye. You click on the address and you have it all. Perfection. Finally chrome’s devs copied something useful from Opera.
@Anonymous:
Sure, it leads to fewer characters being displayed — but at the cost of increased risk that you won’t notice if you’re being duped.
@John Fenderson:
No, there is no risk, because there is a different icon next to the address when it’s https and a different when it’s http. The lock icon mean https, the i icon means http. Very easy to see the difference, even easier than before with the less clutter.
@Anonymous: “The lock icon mean https, the i icon means http”
This is not true. You won’t see the lock icon unless the site is https, but you can be using an https site and still not see the lock icon, because the lock icon means more than just “https or not”.
@Anonymous:
luckily there’s no way a scam site pretending to be legit can get https…..oh wait they can.
“luckily there’s no way a scam site pretending to be legit can get https…..oh wait they can.”
Umm… HTTPS doesn’t have anything to do with a site being legit or not. All sites good and bad will have HTTPS in the future.
That are two quit good point’s from Anonymous “provided the lock remains, and ‘ They do not add anything to the user and longer URL”s allow fraudsters to pretend to be other sites more easily’.
But there Google so how to be certain that I am not because of Google getting in trouble?
I dislike both these changes.
But I suppose I can live with omitting https:// . I reckon Google see it as the next step in the push for https everywhere and phasing out of http:// . I tested in Chrome 76 and if the website is http:// only Chrome prefixes the URL with the text “Not Secure”. So the https is the new default and we should presume the connection is secure/https unless the browser explicitly warns about it. Chrome similarly informs if a local file like C:\testpage.html is loaded in Chrome by prefixing the URL with text “File”.
As for the other change, is there a full list available of what hostnames Google considers trivial?
Martin I hope you revisit this topic if any news crop up. Next time you could use this attention grabbing, but in one way true, headline: “Google wants to take www from you” ;-)
@ oso,
There’s the small matter of free SSL certificates which are available at Let’s Encrypt: https://letsencrypt.org/ This means that the fact that a site has one doesn’t imply that it’s not malicious.
Also, if Google intends to delete the https: from the URL how will they address EV SSLs? https://www.globalsign.com/en/ssl-information-center/what-is-an-extended-validation-certificate/
I think it’s important; imperative even to be able to see at a glance that users have landed on their banking site and not some malicious domain using an SSL certificate to fool them. The more details that Google removes the more difficult that will become.
@TelV , it doesn’t matter where someone gets their certificate; a certificate NEVER implies that the site is not malicious!
All a certificate does is encrypts all data between you and the host site/service, so that you don’t have to worry about outsiders snooping on the connection, or MitM attacks, etc..
ALL connections between parties should always be encrypted, so services like Let’s Encrypt are a good thing. Now what a site does with your information or what kind of service they proivide is another topic and totally unrelated to https/ssl certificates.
@Anonee,
Yes, I know.
Maybe I didn’t phrase my comment properly if it gave you the impression that I didn’t know.
@oso: “So the https is the new default and we should presume the connection is secure/https unless the browser explicitly warns about it.”
The problem with that is that the “secure/not secure” tag is not solely talking about whether or not the site uses https. If the scheme portion of the URL is hidden, then it’s not possible to tell if that’s because it’s http or if it’s because of some other (possibly innocuous) reason.
I think because Chrome automatically blocks non https content – and also shows the site as being insecure, it does not really matter about the HTTPS or the www part.
Plus given the IDN homograph problem – that is to say certain non-unicode charachters can be used to fool the address that your on – the https and www make no difference whatsoever.
eg. https://www.xn--80ak6aa92e.com try that address in Firefox and it comes up as https:\\apple.com
Try it in a chrome based browser and it comes up as it should do.
For more: https://www.xudongz.com/blog/2017/idn-phishing/
Troy Hunt talked about this a fair bit and he tried some of the major websites and depending on where you were in the world, it would not be HTTPS. This made no difference as to whether people used said site. Even the tech conscious people would not stop using said site, if they had typed it in themselves, because they would assume it has gone to the right place.
It doesn’t auto block http sites.
The redirection thing you mentioned happens all the time, though, Mother Google knows best.
Do enough of this and their customer base will be those 10 years old and under.
@Chump: “I think because Chrome automatically blocks non https content”
It does? All the more reason to avoid using Chrome.
It does not.
That’s idiotic from Google, sometimes http://www.something.com and something.com won’t give the same result.
Actually, it’s more evil than idiotic, it’s one more part of their current trend to alter/remove the URL from the UI to mislead users (like with AMP domains) and better control the browsing flow themselves. Who needs a “confusing and dangerous” address bar when you can just use the Google Search bar to find sites, and then trust Google to tell you on which site you are actually ?
Hiding of https & www is the bad things that google try to discriminate the internet, this is idiotic & evil idea to rushing the browser world from now.
Agree, their AMP project kinda gives it away. I wish this comment can be pinned, because many commenters here are actually defending Google decision.
Bingo, that it’s their final goal. Remove the URL altogether so you never know you never left google, and every page you visit will be proxied by google. They are beyond evil, but they do it very slowly (slow boiling frog) so people never leave.
htttps and www are distractions?
Ha, says the Ad Company!!!
Well now we know what the next feature in Firefox is.
Yeah, Firefox implemented some features that Chrome had before. But the truth also includes that Google implemented some features in Chrome that Firefox had before. So this was a really bad (and sad) try to troll.
That Chrome might have copied Firefox features doesn’t make me feel better about Firefox copying bad Chrome features.
Why google thinks the address bar with an htttps or www is distracting is beyond me. It’s not like it’s a flashing ad or something. When I’m reading a webpage I don’t even notice the address bar.
“…we will hide URL components that are irrelevant to most Chrome users.”
Probably true that most chrome users couldn’t care less about all that junk in the space up there. URL is a teen clothing chain store, right? Rap star? Russian truck manufacturer? Who needs it?
As long as the chromelizards are being so thoughtful, they could take the next step and stop collecting every keystroke their users make. Then quit referring their users’ browsing to sites all over the planet.
No? Of course not. What Ms. Schechter (I guess Emily is a Ms., maybe an algorithm?) said is true but its scope ends where her comment ends. She will soon be replaced by someone named Emile. Got to stay one step ahead of the culpability police!
It might very well be that this is done to make the distinction between cloud and (self-)hosted solutions even more vague for users.
While such a move might work when living in an area where good/fast internet connections are available, it won’t in areas where internet is “shoddy” as it happens to be in South America.
I also happen to make use of sub-domains on my own servers and I wholeheartedly agree with the author about not partially obscuring the URL info.
Does this hiding of the full URL also occur when hovering over links in a page in Chrome? If not, that will be Google’s next move.
Let’s hope FireFox stays away from that mindset. Chrome was never my favorite browser to begin with. This new “feature” clearly isn’t helping to win me over.
Another example of a software company being stupid, arrogant, and evil. If it ain’t broke, leave it the hell alone. Honestly, I can’t understand why anybody uses anything Google. I’d rather jump off the edge of the planet. Up Google. I detest that company with every fiber of my being. Other than that, I don’t have a problem with ’em.
“I’d rather jump off the edge of the planet”
The planet isn’t flat. You can’t jump of the edge of a sphere. 😋
google for idiots.
Ah, so the Google continues to go down the Microsoft / Apple path of “we’ll tell you what want, what you really, really, really want.” Oh well, someday someone will do to Google what it did to Mozilla and Microsoft.
Does Google honestly think that removing https:// along with the “lock icon” is making things easier to read? I personally want that information displayed at all times. The FULL URL left intact and browser protocols displayed in full. Google does not dictate to me how a web browser should show or not show this information.
Maybe now ghacks will finally remove the pointless www. from its URL :p
www is there for a reason and if you’re smart enough, you’ll figure.
Proof that lunatics are running the asylum
Wow, great upgrade! I would give 100 MB of RAM for this feature.
I don’t have any issue with this information being hidden. http or https is irrelevant (provided the lock remains), as is www. They do not add anything to the user and longer URLs allow fraudsters to pretend to be other sites more easily.
The article states that the lock will be removed at some point.
“http or https is irrelevant (provided the lock remains),”
No, it’s not at all irrelevant. The lock icon does not indicate whether or not HTTPS is in use, it indicates whatever the browser maker is calling “secure”. With Chrome, this includes websites that use HTTPS but also use self-signed certs or have other cert issues that can be red flags. Those are very different things, and it’s important to be able to distinguish them.
@John Fenderson:
Can you give us an example please? A site that it’s http and is shown as secure?
@Anonymous:
No http site will be shown as secure, but you can easily have https sites that are shown as insecure (if they use self-signed certs or other minor cert issues) even though there’s no real security problem with them. Showing the “https://” portion allows you to distinguish between “the site communications is not encrypted” and “the site communication is encrypted, but there is something suspicious”.
Just calling a site “secure’ or “insecure” without showing the protocol hides very important security information.
This right here. If it’s not HTTPS then Chrome shows “Not secure”. Showing HTTP or HTTPS is not needed. Same with WWW. If it’s not WWW Chrome shows it (IE: WW2.XXX/).
Disable the following flag: chrome://flags/#omnibox-ui-hide-steady-state-url-scheme-and-subdomains
You should see the full domain name again. It worked for me, thanks to a Bleepingcomputer.com post.
That Flag will not be available for us when they update Chrome in those couple of future update… So why I will still use their N a z i browser.
Disable Google.
I think this is a really, really terrible idea that will lead to increased confusion, particularly amongst naive users. Hiding the “https:” is even worse! Hiding important information is a really bad thing to do, and having your browser actively lie to you and misrepresent the URL (www.example.com is, in fact, a totally different URL from example.com) is deceptive and irresponsible.
Personally, this makes me even happier that I don’t use Chrome or chromium-based browsers.
“What is your take on the change?”
I prefer if browser’s display all information and both the protocol and the www subdomain are vital parts of the address and should not be hidden; especially so if the hiding may lead to confusion or problems.
The fastest answer ever, only copy and paste. :-)
I hate it !!
YES
Another reason to not use big brothers browser. Making stupid changes, taking the choice away from its user base and call it better security, were protecting you. Just as with the upcoming changes to the Manifest 3 getting rid of – well limiting, breaking ad-blocker- ad-blockers to protect their bottom line and calling it for better security and privacy. Good day, I said good day…
I think the chrome team is bored. They keep implementing seemingly pointless updates that leave me scratching my head if it was really necessary. As a person who is online security conscious I am always looking at the full url. It’s nice to know that that will be harder now.. Because apparently www and https is confusing to people?
Completely agree, and I would extend that to all Google apps and products as a whole.
@Bob
Exactly! Time for layoffs.
But seriously, what more can be done with all this mature software? Windows 10 is a great OS but burdened with junk and more junk and even more junk that breaks it.
As long as money pours into these “tech” companies that have little competition, they’ll have legions of superfluous employees.
When I worked in automotive, the OEM’s regularly expanded and contracted their supplier bases to keep component prices low and prevent domination by a few biggies.
What I find particularly distasteful is where the change is being proposed.
Google wishes to make the change to Chromium rather the Chrome.
Chrome would incorporate the change, but by inheriting the change in Chromium.
What is the better alternative(s) to the Chrome?
@MP Dereck:
At this moment I feel Firefox is the best alternative to Chrome out there among the major desktop/laptop browsers that “just work” with 99% of the web. It’s a lot faster and smoother than it used to be, and more deeply configurable than Chrome (i.e. You have more options to change things in the “options” menu, in a semi-hidden about:config section, and through add-ons that can do a little more than Chrome allows it’s own desktop add-ons to do). There’s even a version of Firefox for Android in case you want to sync your PC browser bookmarks and history with your phone browser and history (Though you don’t have to). Plus, Firefox for Android has extensions, including ad-blockers and a whole bunch of things, which Chrome for Android doesn’t offer at all for whatever reason, even though Chrome’s desktop version does.
Unlike most web browsers these days, Firefox still has it’s own web rendering engine (Gecko), rather than using Webkit/Blink like most of the other big browsers (Including Chrome), and I think that diversity is a plus. It’s more independent from Google than most browsers out there, even though I think, like virtually every other browser, it does get a small kickback if you use it to do searches with Google (Or with almost any web search engine), and in some countries, Google is it’s default search engine on install (That’s easily changed to DuckDuckGo, Bing, Yahoo, or whichever search engine you prefer after you install Firefox, though- it takes considerably less than 5 minutes to make the change to a different default search engine and then you are done if that’s what you want.).
Pale Moon is good for a minor browser, offers even more customization, and runs on Goanna, a web rendering engine that is based on Gecko, but which went it’s own way, similar to the way that Pale Moon itself started out as a fork of Firefox, but is fairly different from the current Firefox now (Pale Moon changed one way, and Firefox changed another way). The only bad thing about Pale Moon is that because it only has a small team of developers behind it, very modest funding, and is somewhat ideologically driven (Not in a political sense- they just have views on computer stuff that inform which features they will and won’t implement in their browser), it’s not always going to work with every feature on every website- sometimes because they are playing catch-up to a rapidly changing web (Though they do their best), and sometimes because they refuse to do things like implement the EME DRM because of their principles. Most stuff works with it, though- and it does get web compatibility and security updates along with bug fixes, just like most other browsers. You just may need a “backup” browser to use every once in a while for when it doesn’t load something correctly or whatever. Also, they don’t have an Android version anymore, so you’d just use a different browser entirely on Android and not sync the bookmarks.
If you want to stay in the Chrome/Chromium family, Vivaldi has a really nice interface and a ton of built in options. You can really make that look like you want it to and have all sorts of tools and options Chrome/Chromium doesn’t offer. The downside, though, is that it takes updates of Chromium and re-meshes it with it’s own code every time it updates, so there are some changes to Chromium that they may not like, but just feel like would be too much trouble to fix. It’s not truly completely independent. So, you’d just be making a partial break from Chrome there- it looks different, is owned by a different company, and has more features, but most websites just think it’s Chrome, and it’s reliance on Chromium means that ultimately Google’s decisions will sometimes filter down to it (And sometimes not).
Microsoft Edge is getting an overhaul and might be worth considering down the line. Right now, the new version is still a beta, and the “current” version is standing still waiting to be replaced, so now probably isn’t the best time to jump to Edge- at least on desktop. Their Android browser isn’t bad, second best to Firefox on Android IMO. However, you are risking running into the same potential reliance on Google issues you’d run into with Vivaldi (The beta desktop version and the Android version of Edge are both based on Chromium and the Blink engine), even when it’s done- though Microsoft has the dollars to break more with Google’s code if it wants to.
So, basically, I’d say Firefox is the best choice. However, I wanted to give you some other options in case you already know Firefox isn’t for you, or try it and don’t like it. A lot of this stuff is subjective. There’s not really an objective “best” web browser for everyone, the best web browser for you is the one you like using the most. :)
I have been an avid Mozilla Firefox user and advocate for several years in the past. But I switched to Google Chrome about 2 years ago when I couldn’t take it anymore for Firefox to cause freeze or forced reboot my system.
The very problem of Firefox that hasn’t been fixed yet, is its high RAM usage. While I can open around 40 tabs in Chrome with no problem, It’s impossible to open even around 15 tabs in Firefox without fans starting to work very hard or even worse a system crash/freeze.
But I will resist their devious and absolutely-unacceptable attempt to limit ad blockers’ functionality at all costs.
Patently false. I open a dozen or more tabs in Firefox all the time, on a Windows 10 system with just 8 GB of RAM. Never a slowdown, freeze, blue screen. Your experience may have been true prior to the Quantum re-write, but now it performs as smoothly as can be.
Thanks John, good information.
Googleware is made for folks like you so there is nothing better for you.
Anything not Chrome based! Or at the very least if Chrome based something that has not implemented this stupid change as well as the upcoming Manifest 3. Currently my company uses FF with Enterprise policy enabled.