Google is experimenting with a new visual tweak that’ll remove the full URL from the top of your web browser. This isn’t something completely new. In fact, Google announced plans to remove the unsightly mix of letters, numbers, or symbols that make up URLs back in 2018 as part of the tenth anniversary of the popular browser. Unfortunately, the company went quiet about these plans in the intervening years.
While there’s no denying that the URL isn’t the prettiest thing on screen, security experts have voiced concerns about hiding some of the more cumbersome parts of the URL. It might look messy compared to the otherwise sleek Material Design app, these portions of the URL contain important clues about whether the website you’re visiting is legitimate – or not.
According to Chrome team member Emily Stark, a number of different approaches to find a balance between a cleaner look for the browser and the security benefits of being able to check the URL you’re being pushed to when clicking a link.
“We think this is an important problem area to explore because phishing and other forms of social engineering are still rampant on the web, and much research shows that browsers’ current URL display patterns aren’t effective defences,” Emily Stark tweeted this week.
In other words, Google doesn’t think most users can reliably distinguish a legitimate URL from a scam one designed to trick users into inputing their card details or personal information.
“Chrome is experimenting with URL display again. I don’t know why this enrages folks so much. The truth is, humans can’t read URLs,” tweeted Jake Archibald, a Google Chrome team advocate for web developers.
Despite the backlash from some security experts, Archibald believes simplifying the URL is like hiding other website complexities – like encryption certificates (now buried beneath the padlock logo in the address bar) or the website code itself (only found when right-clicking and accessing the Inspect side-bar to examine code).
Archibald says: “The browser doesn’t show the user raw HTML and expect them to figure it out themselves. I don’t think we should do that with URLs either … we don’t throw the whole certificate info in the user’s face. It’s a browser’s job to show the user what’s important.
- Google Chrome users could pocket a £4,000 payout: are you eligible?
“The URL doesn’t do this very well. There’s important security info in there, but it’s obfuscated by other stuff. We shouldn’t forget how weird URLs are. Just look at them. Weird delimiters. The order of specificity changes half way through… The browser doesn’t show the user raw HTML and expect them to figure it out themselves. I don’t think we should do that with URLs either.”
The new look being trialled, which isn’t switched on by default but can be enabled in the Chrome Canary beta version of the browser, only shows the name of the website. For example, visiting https://www.gov.uk/government/news/taiwan-travel-during-coronavirus-covid-19-information-about-available-flights-and-routes will only be displayed as gov.uk in the address bar.
This is in stark contrast to the vast majority of other browsers, which display the entire alphanumeric string.
Source: Read Full Article