Chrome Criticized Over 'Senseless Attack on the URL Bar' (androidpolice.com) 109
The site Android Police is calling out new feature flags in Chrome's early-release Dev and Canary channels (V85) "which modify the appearance and behavior of web addresses in the address bar."
The main flag is called "Omnibox UI Hide Steady-State URL Path, Query, and Ref" which hides everything in the current web address except the domain name... There are two additional flags that modify this behavior. One reveals the full address once you hover over the address bar (instead of having to click it), while the other only hides the address bar once you interact with the page...
There's no public explanation yet for why Google is pressing ahead with these changes, but the company has said in the past that it believes showing the full address can make it harder to tell if the current site is legitimate. "Showing the full URL may detract from the parts of the URL that are more important to making a security decision on a webpage," Chromium software engineer Livvie Lin said in a design document earlier this year.
However, it's also worth considering that making the web address less important, as this feature does, benefits Google as a company. Google's goal with Accelerated Mobile Pages (AMP) and similar technologies is to keep users on Google-hosted content as much as possible, and Chrome for Android already modifies the address bar on AMP pages to hide that the pages are hosted by Google. Modifying addresses on the desktop is another step towards making them irrelevant, which hurts the decentralized nature of the internet as a whole.
There's no public explanation yet for why Google is pressing ahead with these changes, but the company has said in the past that it believes showing the full address can make it harder to tell if the current site is legitimate. "Showing the full URL may detract from the parts of the URL that are more important to making a security decision on a webpage," Chromium software engineer Livvie Lin said in a design document earlier this year.
However, it's also worth considering that making the web address less important, as this feature does, benefits Google as a company. Google's goal with Accelerated Mobile Pages (AMP) and similar technologies is to keep users on Google-hosted content as much as possible, and Chrome for Android already modifies the address bar on AMP pages to hide that the pages are hosted by Google. Modifying addresses on the desktop is another step towards making them irrelevant, which hurts the decentralized nature of the internet as a whole.
It's obvious why Google does this (Score:5, Insightful)
If you scroll right any URL from any Google page, you can see the shitload of tracker data Google tacks to any link in the GET query. It's prettier - and more importantly, out of sight and out of mind - if they hide the tracking tokens. Just like when kids do something naughty, they try to cover what they're doing.
Re:It's obvious why Google does this (Score:4, Informative)
No, it's obvious why they do it because they told us. From the bug tracker that for some reason isn't linked in the summary:
We think this is an important problem area to explore because phishing and other forms of social engineering are still rampant on the web, and much research shows that browsers' current URL display patterns aren't effective defenses. See https://www.usenix.org/system/... [usenix.org], https://storage.googleapis.com... [googleapis.com], https://dl.acm.org/doi/10.1145... [acm.org], https://cups.cs.cmu.edu/soups/... [cmu.edu], and related work for more. We're implementing this simplified domain display experiment so that we can conduct qualitative and quantitative research to understand if it helps users identify malicious websites more accurately. This means we'll have study participants exploring the prototype in lab/survey studies, and we will also roll it out to a small % of real Chrome users to understand if it helps protect them from phishing. If the results show that this simplified domain display does help protect users from attacks, then we'll make a decision about whether to ship it to all users, balancing user feedback with the security considerations. As noted above, users will have an option available to individually opt out of it if they feel that it isn't a security or usability improvement for them.
https://bugs.chromium.org/p/ch... [chromium.org]
The links the cite check out. This appears to be a genuine issue and as they note it's only an experiment for a small percentage of users at this point, not something that is guaranteed to become part of Chrome or the default.
Re:It's obvious why Google does this (Score:5, Interesting)
No, that's a convenient excuse.
Much like hiding AMP URLs, Google want to teach people to ignore all that tracking.
This is why Chrome is not my default browser, even on Android.
Re: (Score:2)
That'll be why I see so many AMP URLs being shared.
Re: (Score:1)
People like me that don't use Chrome, and never share AMP URLs?
It seems that Google have failed miserably to provide a simpler browsing experience if people can't even share the correct URL. Unless of course from Google's perspective they are...
Re: (Score:2)
It seems that Google have failed miserably to provide a simpler browsing experience if people can't even share the correct URL.
From my 10+ years of experience supporting users, that problem exists regardless of Google. People literally(not figuratively) don't even know how to find the URL of the page their on, after explaining where to look.
Re: It's obvious why Google does this (Score:3, Informative)
Re: (Score:2)
Ive also recently noticed I cant directly hit local urls on chrome on my phone. If i type myhosyname or myhostname.localdomain which is in my dns and with the search order configured i end up on google searching for that domain with no way to get to my intended destination.
This infuriates me too. I've noticed you can work around the problem (for now at least) by adding a trailing slash, like this:
hostname/
Then it will always go to http://hostname/ [hostname] instead of doing a search for "hostname".
Re: (Score:2)
Clap Clap Clap...
Good for you.
"Hey look at me! I am able to get along in the world without using the new technology!"
This is like the guy going I didn't need to learn algebra in school because I never use it.
Perhaps I should should proudly pronounce how I was able to get threw life without having to drive a forklift. But I have used a pallet jack to do the same things that I have seen people use forklifts for. But I was able to do it better, because I was able to fit in a smaller place.
Re: (Score:1)
Ooh, get you making false equivalences.
I've just invented a new suicide device, capable of killing you painlessly in just a few seconds. I'm guessing you're going to go through life without using this new technology.
Why, it's almost as though some technology is fucking shit, no matter how new it is. Fancy that.
Re: (Score:2)
Hi there, grammar Nazi here...
"threw" = past tense of throw
"through" is correct for formal and informal writings, but "thru" is good enough for informal writings, such as slashdot.
Re: (Score:2)
Okay, that's just funny. Also, something I did not know. Thanks!
Re: (Score:2)
The share button, even if it lets you copy to the clipboard, is going to copy extra junk to the clipboard instead of just what I told it to. Changing muscle memory from a standard UI experience is awful. Why not put the non-AMP URL in the address bar with an extra button required to reveal the original AMP URL?
Re: (Score:2)
Google has already fixed it in Chrome. The URL bar contains the original URL now.
Re:It's obvious why Google does this (Score:5, Insightful)
...Google want to teach people to ignore all that tracking.
Agreed. And I'm sure lots of other companies are totally on board with this. Ever noticed how much tracking shit there is in, say, an Amazon product page URL? I always sanitize these links when I'm sending them to somebody else, and when I receive un-sanitized ones I strip out all the cruft before visiting the link.
Fortunately I've never been able to stand using Chrome or Chromium. I don't rely on it and never will; so please pass the popcorn while I watch Alphabet create a whole new understanding of what 'Googled' means...
Re: (Score:1)
Sadly, I'm forced to use Chrome at work.
This is yet another reason why I prefer Firefox.
LK
Re:It's obvious why Google does this (Score:5, Insightful)
This is true and there is clearly a problem with users understanding URLs, but one of the key things to remember from the Microsoft playbook is that the reason that the developer believes they are doing a feature is often not the reason the development of the feature gets funded. This is pretty obvious with basic things around Google. Managers will be measuring "user engagement" and number of adverts clicked. When one developer proposes a new feature with a pretty layout that splits things over more screens and another developer proposes a way to group things together so that you can skip unneeded messages both will be prototyped. When they test the two features, the one that splits things up and wastes more user time will end up being developed because it matches with the mangers numbers.
The question should be not "is this a good idea" because it probably is a good idea from where we are standing. The question instead should be "what feature could go into FireFox that would achieve these aims better?" If an alternate feature that keeps user's access to the important information beyond the slash and protects the naive users better can be added to FireFox then the competition will force Google to maintain access to the full URL. Making a user interface mockup of something neat and proposing it on the FireFox bug tracker would be a good way for all the people complaining about this to start.
Re: (Score:3)
Again if you check the link I posted or RTFA you will see that the full URL is not going away. By default the whole URL is displayed when you hover the house over the URL bar. There is also an option to always show the full URL if that's what you want.
It's hard to see how this could be used to make people stay on a page any longer or see more ads. Do people somehow avoid engagement by looking at the URL bar?
Re: (Score:2)
It's hard to see how this could be used to make people stay on a page any longer or see more ads. Do people somehow avoid engagement by looking at the URL bar?
My guess in that direction is that people often can't find things on sites which have really obvious links like mysite.example.com/messages. If you pop up the url like b>mysite.example.com/messages then to begin with people use Google to find the page ("myslte messages") but after a few times they just remember the URL and go straight there. In Chrome this requires turning off google search from the URL bar, but I bet that specifically what they find is that people having memorized URLs is one of the
Re: (Score:3)
I bet the number of people who type URLs in directly is vanishingly small. A quick bit of research gives 12% for the number of "direct" visitors, but that includes bookmarks and browsers that hide the referer when making cross-domain requests.
https://www.conductor.com/blog... [conductor.com]
Actually that also includes times when the browser remembered the URL for you due to past visits and either suggested it in the search bar or added it to the new tab page as a shortcut.
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Jesus fucking christ, it's so depressing that everything in the entire field of computing these days seems to go through some kind of monetization filter. Every thing that can be done has to be done in a way that drives monetization further, even if the change/feature/etc is meaningfully worse than the non-monetized version.
Re: It's obvious why Google does this (Score:2)
Re: (Score:2)
Good point.
Re: It's obvious why Google does this (Score:1)
Right. Like people are always honest, especially Google.
Now we know why you vote Democrats/Republicans. Because you think what they say is about what they do, instead of about what they want you to do.
Re: (Score:2)
I don't vote Democrat or Republican.
Re: (Score:1)
No, but you have a hard-on for communist China as your preferred system don't you? Or has their flagrant abuses of everyone finally soured you to it?
Re: (Score:2)
China isn't communist, and I never liked it.
Re: (Score:1)
Welcome to modern far left, no different from holocaust denying far right other than in what part of history they deny.
Re: (Score:1)
Re: (Score:2)
I like to go down into the mud and wrestle with the pigs on merits of their arguments on the internet, yes.
Considering your reply, aren't you guilty of the same sin? Welcome to the internet.
Re: (Score:1)
I like to go down into the mud and wrestle with the pigs on merits of their arguments on the internet, yes.
Then please do that rather than going on some tangent about politics.
Re: (Score:2)
I didn't go on the tangent. I followed someone else. Note the name of the person diving into it. I merely took his claim and repeated it from the other side of political spectrum.
Re: (Score:2)
Have you been to China? It's heavily capitalist, private business is booming and the workers most certainly do not own the means of production.
Re: (Score:2)
Have you? It has no capitalism beyond a few small businesses, as all ownership of private property is actually a long term lease if you stop listening to naive analysis who still think that "adapting some traits of market economy will make China's political system reform from Maoist Communism. And every medium and larger business must by law have a Communist Party department who's sole task is to ensure political control. It's a department who's people are hired from the CCP, and who's member cannot be fire
Re: (Score:2)
Yes, yes, we know. Adopting some parts of market economy and trading with the world made China into a shining beacon of democracy and capitalism. In alternate headcanon of people who have been repeating this mantra for last five decades.
Just because you are a true believer that spaghetti monster exists and is omnipotent doesn't make it true.
Re: (Score:2)
If they were really doing it for the end user, they wouldn’t be obfuscating the addresses on AMP pages.
Re: (Score:2)
They are de-obfuscating AMP URLs. The new system is called Signed Exchanges and it's not limited to just AMP or Google. It's kind of the next step on from CDNs.
Currently sites use certificates to allow CDNs to impersonate them, i.e. serve their content on their behalf from a location closer to the user. Signed Exchanges instead signs the HTTP exchange, i.e. the whole web page as a package. That means that for example Apple News could distribute a signed page (complete with images etc.) on behalf of say the
Re: (Score:2)
Any excuse will do. You may need to familiarize yourself with reality, where most humans tell different types of lies almost every day and deciding whether someone is telling the whole truth and nothing but the truth, a shortened truth, a carefully selected portion of truth, truth as they know it, truth as they want it to be true, truth as they deceived themselves, a massaged truth, a misrepresentation of truth that isn't wrong per se, just misleading, a fact that is true, but is a convenient excuse, a fact
Re: (Score:2)
Very interesting reading, and definitely worthwhile for /. nerds to keep in mind.
Focusing on the URL side (versus EV): it does seem that they well researched and proved the presentation wouldn't have a big effect on trust / no trust in the general control group.
But relevant to the /. feedback, I would wager a larger % of /.ers than normal fall into the "look at the URL and be suspicious group". And while I could be uncomfortable with just a "tinyurl" displayed, I would be far more comfortable (and also unc
Re: (Score:1)
Bullshit.
"It's only an experiment for a small percentage of users," is the excuse that UXtards have used since time immemorial to dumb down software.
The next step will be to make it the default. "Our telemetry indicates that few users even noticed the change, let alone tried to di
You can change the endianness of the URL (Score:2)
Just flip it around so the higher tiers of the hierarchy come first. org.slashdot.tech/blah_blah_blah can't be spoofed unless you register a domain whose name can be mistaken for org.s
Re: (Score:2)
Re: (Score:3)
If you scroll right any URL from any Google page, you can see the shitload of tracker data Google tacks to any link in the GET query. It's prettier - and more importantly, out of sight and out of mind - if they hide the tracking tokens.
That sounds like a grand conspiracy theory but reality (as always) is much dumber.
To the expert: Hiding tracking data behind a mouse click doesn't put it out of mind.
To every other user: What comes after the URL is gobbledygook. Is it tracking data, or highly important complex code that makes the internet work and the cat videos play, don't know, maybe I'll ask my Google Home someday.
From a human interaction point of view the answer is obvious, it's a meaningless clutter of information that shouldn't be fro
Re: (Score:2)
I block Google analytics, you insensitive clod! Those tracking params are the only way Google has to track me from site to site. Won't someone think of Google?
(Yes, that's why we use blockers)
Re: (Score:2)
I thought that the changes that they made to the address bar were basically designed to keep people from entering URL's completely and just do a Google search for everything. That means more user data and add impressions for them!
Re: (Score:2)
Less web addresses, more Google searches (Score:5, Interesting)
Re: (Score:2)
Most users on the web are not technical Slashdot readers who are already aware of the functions of analytics scripts, iframes and assets that play no role other than telemetry and tracking.
The average user is not even aware of domain connections behind the scenes. And since JS often obfusticates the domains/URLs being connected to, even
Re: (Score:2)
Surely the result will be the exact opposite. By making the domain name much clearer and more visible to the user it will encourage them to type it in directly. Chrome will even helpfully auto-complete it for them.
Google does other things that push users away from search too, such as placing shortcuts on the new tab screen that go directly to the most often visited sites. Chrome supports bookmarks too, which would surely be the first to go if the goal was to force everyone to search.
Re: (Score:2)
That only brings you to the main page of that website, not the twenty-clicks-deep sub-area you were in.
Re: (Score:2)
The end goal seems obvious to me: Don't give users enough information to get to a website without performing a Google search first. Does anyone really think this could be for any other reason?
Yes, there are plenty of other reasons. Firstly the hiding of a URL bar is something common in other browsers (See Safari) and I highly doubt Apple is eager to push for all their users to funnel money to a competitor. So straight away you have a one to many relationship between your conspiracy theory and the companies involved.
But that aside let's look at the actual benefit and downside:
a) Users currently navigate by typing in domains, clicking links or sharing. None of the three are impacted by the change.
It's easy (Score:2, Interesting)
Why won't people just stop using chrome and go back to netscape, opera, whatever. Why is it so difficult NOT to vote for trump, let's say? Shouldn't we be "voting with our wallets"? Why is the "herd psychology" not working?
Re: It's easy (Score:3)
Simple. False dichotomes.
Have you noticed how whenever you say you oppose something, they automatically assume you side with "the" opposition. Like there's ony one.
And then call you all the worst things that "their side" said about that opposition.
It's a very very old game.
Not to be off-topic, but to make a point without being incomplete:
"Why, of course, the people donâ(TM)t want war," Goering shrugged. "Why would some poor slob on a farm want to risk his life in a war when the best that he can get out
Re: It's easy (Score:2)
I'm sorry, there was supposed to be a blockquote tag around that large quote. :/
Re:It's easy (Score:5, Informative)
>> go back to netscape, opera, whatever
because :
1) Netscape is dead and long buried
2) Opera is dead
3) "Whatever" is not a web browser.
best alternative out there : Firefox.
But they actively work towards losing their remaining market share.
Re: (Score:2)
And the original Opera folks started a new browser, "Vivaldi" (which also runs on older machines), didn't they?
Links (Score:2)
Vivaldi [vivaldi.com]
Simple enough links. Oh, and by "newer stuff", I meant "popular stuff", because Opera and Vivaldi seem to be modern/up-to-date; though I'm just a user, not an expert.
Re: (Score:2)
I think the argument I hear a lot on Slashdot is that both of them are Blink derived and thus, they're no better than Chrome as the vast majority of Blink is from Google. The entire planet over, there's maybe four or five engines for web content. Google's Blink, Mozilla's Gekco, WebKit from Apple, Goanna from Pale Moon (which is actually a Gekco fork, so there's debate as to if this count), NetSerf by ... NetSerf (however is not fully HTML 5 compliant), Microsoft's Trident (still receives patches but is n
Re: (Score:2)
But since this OP was speaking specifically about the URL bar, I was just mentioning alternatives; I don't think they mess with the bar that way.
Re: (Score:2)
If you have been using Chrome, then an easy option is to switch to Brave.
It is also based on Chromium, so it is very familiar to Chrome users.
Two advantages: Built-in adblocking, built-in ability to open a private window using Tor.
Re: (Score:2)
But they actively work towards losing their remaining market share.
And they're so close [wikipedia.org] to succeeding. Only ~4% to go, can't give up now. :-)
Re: (Score:3)
Shouldn't we be "voting with our wallets"?
We do vote with wallets. The biggest problem is a couple of techies on Slashdot can't seem to figure out why the majority of people like to buy other things.
- Signed
A non-normie, techie who understands that I and Slashdot users are different from the general populace who really couldn't give a flying fark about the URL bar.
Re: (Score:2)
It's like getting rid of internet explorer / edge / etc on Windows. Even a knowledgeable user can think he's got it all set, and then clicking on some random option or utility pulls up internet explorer and resets some buried default and you
Re: (Score:2)
Successful branding and ability to manipulate the herd due to near total control over messaging for key demographics.
Of course (Score:5, Interesting)
What's so difficult about changing the fore/background colors differently for each URL component to contrast them out from each other?
Put the protocol on a grey background, color code it for "insecurity" with your child pastel traffic light standard.
Dark background and light text for the domain so it stands out.
White background with red text and a red underline or three for a colon and port number if not default. Make a couple squiggly if you must.
Then normal colors for the address, up to the "?" separator, and everything after in a lighter text color.
If you honestly are doing this to highlight the domain name because "safety", then *highlight it*
There is no highlighting, there is nothing to contrast it from anything else. You had one job developer, one job, and you failed.
Because when you say you want to highlight something, and do not add in any highlight, but instead HIDE things... Well "highlighting the domain" is a lie. A not-bold not-stylized face lie.
Hiding things is what you do when trying to trick people, to defraud them, to take advantage.
Re:Of course (Score:4, Funny)
But but... think of the color-blind children!
Re: Of course (Score:2)
Think of the *blind* children! :)
(How well do Google services work in lynx with a screen reader btw? And do they contain CSS for voice browsers / voice rendering?)
Re: (Score:2)
What's so difficult about changing the fore/background colors differently for each URL component to contrast them out from each other? .......
Why post that anonymous? It's a great post and it's quite likely to get lost if nobody replies to it and the mods come along too late to notice it?
Re: (Score:2)
There's a reason this color coding won't happen. Aesthetically, the browser window will start to look like TempleOS. This is why the green has gone away around the padlock.
Re: (Score:2)
Re: (Score:2)
What's so difficult about changing the fore/background colors differently for each URL component to contrast them out from each other?
Put the protocol on a grey background, color code it for "insecurity" with your child pastel traffic light standard.
Dark background and light text for the domain so it stands out.
White background with red text and a red underline or three for a colon and port number if not default. Make a couple squiggly if you must.
Then normal colors for the address, up to the "?" separator, and everything after in a lighter text color.
If you honestly are doing this to highlight the domain name because "safety", then *highlight it*
There is no highlighting, there is nothing to contrast it from anything else. You had one job developer, one job, and you failed.
Because when you say you want to highlight something, and do not add in any highlight, but instead HIDE things... Well "highlighting the domain" is a lie. A not-bold not-stylized face lie.
Hiding things is what you do when trying to trick people, to defraud them, to take advantage.
Firefox is already sorta doing this, at least in the nightly build that I'm running. Everything except the domain name is grey, the top-level domain (minus .com) is white to make it stand out. I still see the whole URL.
Lord Thunderin' Jeezus (Score:4, Insightful)
This is why one should never use a browser from an advertizing company (Google Chrome) or one based on a browser from an advertizing company (Mickey Mouse Edgeium). I am sure there are other browsers based on Google Chrome(ium), none of which are at all fit for use at any cost -- unless of course they were to make a one-time cash payment of US$10,000,000.00 to install it (although I would accept the payment and install the browser on a computer, that computer would remain turned off in the corner, forever unused, having been hopelessly corrupted with Google shit).
The little browser that wanted to be an OS. (Score:2)
Ok, the fat pig more like. :)
It will do away with the URL bar, sooner or later.
Joke's on them though. My website runs JSLinux in fullscreen and nothing else. :)
Why this obfuscation? (Score:3)
Obligatory... (Score:1)
As if displaying domain names clearly is a problem (Score:2)
Firefox will do the same thing (Score:3)
Re: (Score:2)
I for one am not enough of a programmer to make a coding contribution to a proper fork. I'd be willing to pay for one, but therein lie dragons. To wit, I don't trust a handful of nobodies to succeed with such an effort, and I don't trust a large organization not to spend my money on something irrelevant.
But if someone can figure out how to solve these problems, I'm in.
Another big problem that has to be figured out is how to satisfy people. I have a small but particular set of requirements. I want an address
Doesn't hide AMP (Score:2)
I prefer an address bar that doesn't sing and dance, but fiddling it doesn't hide AMP when they put a bar across the top of the page to tell you about it and provide a link to the original...
Stop using Chrome (Score:3)
"Ignorance is strenght" (Score:3, Interesting)
So long, Chrome (Score:2)
This stupid nonsense was the final straw that made me leave Chrome once and for all. Good riddance!
Google Is Looking To Kill The URL (Score:5, Insightful)
Another Idea (Score:5, Interesting)
Re: (Score:2)
Firefox is doing this, at least in the nightly build that I'm running. Everything except for 'slashdot' in the URL is a grey color, and 'slashdot' is white.
Needs some BAR jokes (Score:1)
The past, present, and future walk into a bar.
It was tense.
An amnesiac walks into a bar.
He goes up to a beautiful blonde and says, “So, do I come here often?”
A neutron walks into a bar.
"How much for a beer?" the neutron asks.
"For you?" says the bartender. "No charge."
Jimmy Wales walks into a bar.
[citation needed]
A screwdriver rolls into a bar.
The bartender says, "Hey, we have a drink named after you!"
The screwdriver squeals, "You have a drink named Philip??"
Canadian version of the joke (Score:1)
A screwdriver rolls into a bar.
The bartender says, "Hey, we have a drink named after you!"
The screwdriver squeals, "You have a drink named Robertson??"
Enters google who cuts the URL in half. (Score:2)
An URL walks into a BAR. Enters google who cuts the URL in half, killing it.
We all know what this is (Score:1)
Dumb reason (Score:4, Informative)
If you think people are too stupid to understand URLs, why not simply display the domain name in bold? That should provide sufficient difference with the rest of the URL. Heck, maybe even display any non-path/parameters in light grey, too.
How would this affect ... (Score:2)
Better?? (Score:3)
How is this better:
You see: somesite.com
Wat you don't see: http://somesite.com/ [somesite.com] .malicioussite.com/payload.js
How the hell is nor being able to see the extra shit supposed to be "safer"?
Fuck You Google (Score:2)
You've stopped making good products a long time ago and have turned into the very creature you said you wouldn't; not that any of us believed that bullshit.
Monopolies like yours destroy creativity and innovation - just look at YouTube.
But the time has come for you to go gently into that good night and fuck off forever.
We don't need you anymore (soup is good food).
Leave Google (Score:1)
Half truths bait & switch, Do as I say not as (Score:2)
Par for the course. Google will always be as dishonest as any "free" internet pimp. Mostly, their number one motivation for changing features and making "improvements" is to line their own pockets. Insofar as the user's security is concerned we would all be safer while not being held hostage to their blindfolds, price propaganda, or conveniences. We are like cattle being rounded up; a captive audience to walled garden like AOL had envisioned ears ago. That's still the goal for the big shots. I still ha