Chrome may soon only show the root domain name by default
Google plans to run an experiment in the Google Chrome web browser that hides all but the root domain name in the browser's address bar.
Google notes that URLs are the primary means to identify and authenticate a website; just a look at the root domain name should suffice but a recent study that Google ran suggests otherwise. While participants were able to identify legitimate URLs 93% of the time, only 40% were able to identify obfuscated URLs correctly. In other words: 60% of participants had troubles identifying legitimate from illegitimate addresses simply by looking at the URL.
Attackers may use a variety of different techniques to obfuscate URLs. Some of the options include using IP addresses, use a familiar name as a subdomain, use typos, or use uncommon or unfamiliar top level domains. Only 25.8% of all participants identified addresses with long subdomains correctly, according to Google's Research Paper.
Participants of the study had lots of issues identifying legitimate sites correctly. Many of the transformations are used in phishing attacks and other forms of attacks that are common on today's Internet.
Google plans to collect real-world usage to find out if the exclusive showing of the root domain name is beneficial in regards to identifying the legitimacy of Internet sites.
The company plans to display the limited URL display to part of Chrome's stable userbase to collect the data. The screenshots below show how Chrome will display the URL in the upcoming version of the browser for users who were selected for inclusion in the study.
The full URL is shown if the user hovers the mouse over the address bar. The right-click context menu option to select "Always show full URLs" is also available in that version.
Chrome 86 includes several flags that users may enable or disable to join the experiment or to leave it. The following flags are important:
- chrome://flags/#omnibox-ui-reveal-steady-state-url-path-query-and-ref-on-hover -- Determines whether the full URL is displayed on hover.
- chrome://flags/#omnibox-ui-sometimes-elide-to-registrable-domain -- hides subdomains, path, query and ref from "steady state displayed URLs depending on heuristics" occassionally.
- chrome://flags/#omnibox-ui-hide-steady-state-url-path-query-and-ref-on-interaction -- starts to hide parts of the URL when the user starts to interact with the page, e.g. by scrolling.
Closing Words
Google will analyze the experiment's data and use it to make a decision. Whether that means that Chrome will only show the root domain by default in the future is not clear at this point, but the likelihood that it could happen is there.
Most advanced users may prefer to show the full address all the time, and most probably don't mind the hiding as long as there is an option to permanently display the full URL in the address bar.
Now You: What is your preference, and why?
No no no no !
We’se seen some phishing attacks that use legit domain names (like windows.net) to serve their malicious phishing forms. The full URL can tell the user that the website is not trustworthy, but the only root domain can’t.
This is not the only thing the International Cabal have done to pull wool over peoples eyes and losing touch with reality, have you noticed how lot’s of web pages, such as YouTube, doesn’t publish exact date when someone leaves a comment under a video, it looks rather like…
48 minutes ago
16 hours ago
2 days ago
3 weeks ago
6 months ago
1 year ago (this one is tricky, the post can be up to near 2 years old, minus 1 day!)
how can you save a copy of, say an article, and, let say at some time much later, share it with someone and not being able to acknowledge when the article actually was posted because the copy doesn’t have time/date stamp, it can for example be forever “3 days ago” old, even after 1000 years, this phenomenon was introduced several years ago and sort of happened over “one night” when suddenly lot of major web pages took this horrible route that keep us in a blind state, apparently a dark force doesn’t want as to be in sync with reality, it’s a massive psyop and this is only one tiny matter out of many others.
@slimshady
I agree with you 100%. This is clearly a move by the International Cabal to control us.
I have already gone down into my survival bunker and locked the door.
@Crazy Bob
“I have already gone down into my survival bunker and locked the door.”
Well, while it’s a serious matter that’s a little bit too silly if you’re going to lock yourself in… but I guess if you are a “crazy bob” it may be necessary, I wont though.
Useless change. What purpose does that serve? Save 000.1% pixel on my 8k monitor?
You still use 8k? pfff, 32k 960Hz monitors are the future.
Simpel.
Always the full address all the time.
More info is always a good thing because than I can understand what I am doing.
I’m hesitant to jump on the conspiracy theory bandwagon. As long as the full URL is still accessible by some means, I see this as a good thing. I truly do not mean to sound like I’m belittling people, but people are terrible with computers. As part of my job, I deal with users who literally don’t know what I mean when I ask them to “open a web browser.” Any little thing that will help users like this to stay safe while using the internet is fine by me. There are far more egregious things Google is guilty of that I’m worried about.
I had a customer try to sign into her email via the Google search bar.
There’s a lot of idiots out there.
This changes very little for me, I’m not even sure it’s newsworthy.
I’d be more curious to know about that “Unsafe Download Blocking” that’s said to come with Chrome 86, and from what I understand, Chrome will “decide” on its own which downloads are safe and which aren’t and it will cause me trouble when trying to download things.
When the takeover is incremental and not “news worthy” the result is a boiled frog. I’d say it’s already pretty damn hot in here.
Hiding AMP anyone?
First thing that came into my mind!
@Sam: I installed it a long time ago, and forgotten why until @Iron Heart ttold me about it above.
Change for the sake of change, and usually not beneficial to users. Is that so software vendors can say they are constantly updating their software?
The ideologues at google ruined their search engine, they may as well ruin their browser as well.
First: Spamdexing
Second: Hide the full URL in the search results
Third: Show only the root-URL
Fourth: Malware/Scam
Fifth: Google implements a proprietary protection for the self made problem
Sixth: Chrome is the only browser left
Yep. That’s the way of Google. Firefox (at least for now with about:config) and Vivaldi are the only browsers left, beating a bit the sh*t out of this dumb behavior. Don’t try to convince me with Brave: Nope, thanks.
What’s wrong with Brave?
@vanp
There is literally nothing wrong with it. The top two “criticism” hurled at Brave are the following two allegations:
– That they have supposedly whitelisted Facebook and Twitter trackers from their internal ad- and tracker blocker. This is of course false, what they did was to whitelist some necessary cookies without which these websites would flat out refuse to work, i.e. you could not even log in. They did this because shipping a browser that can’t even make Facebook and Twitter work correctly would be suicidal, plus those in the community having a Facebook and Twitter account were up in arms about them not working, so the team relented. The whitelist is accessible in its settings, in case you don’t care about Twitter or Facebook. Last but not least, other browsers were never blocking the elements Brave had to whitelist in the first place.
– They have provided suggestions in the address bar which contained a referal. While they did indeed do this, it only happened on a few partner websites that are clearly marked as such on the Brave website (partners were mostly related to the topic of cryptocurrency). Now, what was the purpose of the referal? The sole purpose of the referal was to differentiate Brave users from the myriad of Chrome users visiting those websites anyway, i.e. Brave’s partners in the field of cryptocurrecy had a vested interest in how many Brave users visited their websites, as the Brave browser is somewhat crypto-centric. Identification of individual Brave users based on the referal was impossible, as all Brave users accessing those few websites were using the same referal link, so it was never a privacy issue. Nevertheless, the incident led to the community being up in arms over literally nothing and journalists who clearly lacked understanding of the technical background spreading fake news (gHacks being a notable exception). The practice of using referals has since been ended(!) in the Brave browser, despite it being totally acceptable and still ongoing in other browsers (Vivaldi attaches a referal every single time you search for something within the browser, for example, in order to generate search revenue by letting their partners count how many Vivaldi users have used their search engine) and it never having been a privacy issue.
Those are really the main two “criticisms”, both are nonsense and have been way overblown to deliberately damage the Brave project, which produces one of the most privacy-respecting browsers out there. Here is my own setup if you are interested:
https://www.ghacks.net/2020/07/05/behave-for-chrome-and-firefox-warns-you-of-port-scans-and-local-attacks/#comment-4467393
Iron Heart, thanks for the info.
@vanp
Further reading in case you are still in doubt:
https://nakedsecurity.sophos.com/2019/02/12/privacy-browser-braves-user-concern-over-facebook-whitelist/
https://brave.com/referral-codes-in-suggested-sites/
Here is a study proving my claim that Brave is very privacy-respecting out of the box:
https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf
why not only bold/color root and domain
I see I am in the minority here, but I also support users every day. I do think this will help people not fall for phishing attacks and showing when hovered over is a good compromise. The url is still editable, and the right click “always show” allows people that want to see more info all the time do so. I am also glad to see that when the box is clicked in it does show https:// that it doesn’t do right now.
@Derek
As another technician tasked with supporting users who don’t know how to use computers, I agree with you 100%.
I can’t imagine why anyone would want to use Chrome. Google does everything it can to make sure they can give you the illusion of having some privacy while making sure that they can still suck up your data for advertising purposes. This is just one example of many. Why would you allow that if you did not have to do so? I’m well aware of the issues associated with Chromium and the few remaining non-Chromium browsers. But lets be very clear; Chrome is the primary problem. I deleted it off my various devices a couple of years ago and have never missed it in any way.
@Herman Cost
So you lack imagination and you pretend to be “clear” with nothing more than extreme claims.
Hmm.
Mozilla will probably follow 2 months later, as they love nothing more than copying Chrome.
That’s “cool”. People already don’t know about URLs and the next step will be to hide it completely. They want to control everyone and they’ll help all scamers and spamers.
“Trust us, we’re definitely showing you the page you want to see and not some other page. Honest!”
Hide the protocol. Hide the full URL path and querystring. Hide the full hostname. Next will be hiding the domain and just putting the word “Ghacks” up there vaguely. It’s thoroughly insane.
Chrome is turning into malware in the service of advertising.
I think it’s fine, as long as you can get full url by ctrl+L shortcut, or clicking on the url bar.
Sounds like another good reason not to use Google Chromium.
Getting rid of the protocol was bad enough, but this latest proposal will only serve to confuse users even more.
@TelV
Chromium ≠Chrome
Just because Google force-feeds its Chrome users with that doesn’t mean that other Chromium derivatives have to. Chromium is open source.
Notably, Ungoogled Chromium is guaranteed not to do this.
PS: What else do you suggest using? Firefox shortens the URL as well; on desktop you can revert this by digging the related setting out in about:config, but on mobile, where about:config was removed recently, you are also stuck with that.
Anyone with an functioning brain can see that the end-goal for Google is removing URLs as a concept so that all Internet consumption is basically siphoned through google.com. Basically a fucking Yahoo index from the 90s.
[Editor: removed, please no swearing]
@md
Will be very hard to do without closed-sourcing Chromium (which they won’t, since they heavily rely on outside contributions and have no interest in someone like Microsoft forking it), they other Chromium-based browsers can’t be forced to adopt this and cosmetic issues are an easy fix.
By the way, Mozilla is lending them their helping hand (seriously, it’s still on the gHacks front page): https://www.ghacks.net/2020/08/10/new-firefox-for-android-wont-show-full-urls-in-address-bar-just-like-chrome/
Largely a non-issue, Ungoogled Chromium will still be working as before. Other Chromium-based browsers like Vivaldi or Brave will also do something about that. That being said, this trend of shortening the URL is not appreaciated by me at all. However, cosmetic changes usually only hit Chrome directly.
…can anyone explain why would Google do this? I honestly don’t understand why.
@Anonymous
As I stated above, they do this to hide accelerated mobile pages (AMP). Let’s say you to to WordPress, Google does want you not to use the plain HTML version of the page, but rather the version using their AMP framework, as that makes tracking life easier for them. In both cases the address bar would now display “WordPress”, leaving no hint that you are actually using AMP (which you could see in the full URL). The extension I linked to above prevents this by redirecting you from AMP to plain HTML. In case you want a detailed report on why AMP is problematic, I recommend these two articles:
https://www.polemicdigital.com/google-amp-go-to-hell/
https://stop.zona-m.net/2018/01/why-i-do-not-like-googles-accelerated-mobile-pages-amp/
@Iron Heart: do you know what the reason is that Google is forcing this through. They have been at it for quite a while now, taking small steps at the time but progressing nevertheless.
What is in it for them? What do they gain by facilitating malicious obfuscating activity?
@Klaas Vaak
Hiding AMP most likely, AMP is tracking-heavy. If you are worried:
https://chrome.google.com/webstore/detail/redirect-amp-to-html/kifkmmpiicbcnkjaliilaoeaojlldonl
@Iron Heart: thanks. I had already installed that extension but forgotten why, and had not bothered to recheck.
just like safari.