Stories
Slash Boxes
Comments

SoylentNews is people

posted by Woods on Thursday May 01 2014, @07:37PM   Printer-friendly
from the now-all-those-URLs-I-memorized-are-worthless dept.

Yesterday, a Canary build of Google Chrome removed something kind of important from the browser: the URL. Basically, it only shows the domain and leaves the rest of the URL bar as a search field.

Allen Pike, a blogger who writes "about technology and crap like that" suggests burying the URL like this will probably have some usability and security benefits. From the article:

More recently, browsers started hiding the URL scheme. http:// was no more, as far as most users were concerned. In iOS 7, Mobile Safari went even further and hid everything about the URL except the domain. With the Chrome "origin chip" change, the URL will move out of the field entirely, to a tidy little button that many users will never even realize is clickable.

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Insightful) by DarkMorph on Thursday May 01 2014, @07:48PM

    by DarkMorph (674) on Thursday May 01 2014, @07:48PM (#38619)
    This is an excellent change. One way or another, it will make phishing attempts that much easier!

    What next, will they remove the browser's display of an anchor's hyperlink so you have no clue where the link you might click goes?
    Starting Score:    1  point
    Moderation   +2  
       Insightful=2, Total=2
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 0) by Anonymous Coward on Thursday May 01 2014, @07:56PM

    by Anonymous Coward on Thursday May 01 2014, @07:56PM (#38621)

    That could be next, but why don't we just skip to the end and make a pageless internet. No more annoying bs anywhere, just nothingness. In that internet of the future, there is no need for net neutrality, since there is nothing. It's also safe.

    • (Score: 1) by dast on Thursday May 01 2014, @08:17PM

      by dast (1633) on Thursday May 01 2014, @08:17PM (#38629)

      Best suggestion ever.

    • (Score: 2) by tangomargarine on Thursday May 01 2014, @08:45PM

      by tangomargarine (667) on Thursday May 01 2014, @08:45PM (#38644)

      AdBlock <html />. Then the UX guys will probably cream themselves at the beautiful white nothingness.

      --
      "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
      • (Score: 2) by forsythe on Thursday May 01 2014, @09:10PM

        by forsythe (831) on Thursday May 01 2014, @09:10PM (#38651)

        I can only think of one way to make that better. Instead of white, off-white. Sort of light-gray-ish. Eggshell, I think they call it.

        So is the world going to just send me a check, or will it be deposited to my bank account directly?

        • (Score: 0) by Anonymous Coward on Thursday May 01 2014, @09:17PM

          by Anonymous Coward on Thursday May 01 2014, @09:17PM (#38653)

          We'll send an off-white blank piece of paper.

      • (Score: 1) by Horse With Stripes on Thursday May 01 2014, @11:29PM

        by Horse With Stripes (577) on Thursday May 01 2014, @11:29PM (#38684)

        The UX people will not like a blank page because the white space will not have two directions off of the page. "Any direction" is only one direction, just ask any designer.

    • (Score: 0) by Anonymous Coward on Thursday May 01 2014, @08:58PM

      by Anonymous Coward on Thursday May 01 2014, @08:58PM (#38649)

      The trend is unification. Let's put all the content on one page accessible through only 15 convenient plugins.

  • (Score: 2) by GlennC on Thursday May 01 2014, @08:04PM

    by GlennC (3656) on Thursday May 01 2014, @08:04PM (#38625)

    Perhaps they'll replace everything with one button....conveniently tied to your credit card, of course!

    --
    Sorry folks...the world is bigger and more varied than you want it to be. Deal with it.
  • (Score: 1) by cnst on Thursday May 01 2014, @08:23PM

    by cnst (4275) on Thursday May 01 2014, @08:23PM (#38631)

    > What next, will they remove the browser's display of an anchor's hyperlink so you have no clue where the link you might click goes?

    Didn't Apple already do this with Safari back in the day a few years back?

    IIRC, they've removed the status bar by default, and didn't have any on-hover-status-bar-pop-ups back then.

    • (Score: 1) by datapharmer on Friday May 02 2014, @10:51AM

      by datapharmer (2702) on Friday May 02 2014, @10:51AM (#38838)

      yes, also even mac users don't use safari. it does crazy stuff like switching requests for https back to http with no prompt, warning or expaination.

  • (Score: 4, Interesting) by frojack on Thursday May 01 2014, @08:23PM

    by frojack (1554) on Thursday May 01 2014, @08:23PM (#38632) Journal

    This is an excellent change. One way or another, it will make phishing attempts that much easier!

    I agree. This is pretty dumb. Have we not JUST been taught a huge lesson about blindly trusting things we can't really see?
    Just when you've even taught Grandma to evaluate URLs to make sure she is at the right place, Google takes that away too!

    It also makes linking harder, sending URLs harder.

    Its whole purpose is so Google can play games with the URLs in the future to make sure all your subsequent clicks come back through them.

    --
    No, you are mistaken. I've always had this sig.
    • (Score: 3, Informative) by Angry Jesus on Thursday May 01 2014, @08:32PM

      by Angry Jesus (182) on Thursday May 01 2014, @08:32PM (#38633)

      While I agree with the general sentiment, the following is not true:

      > It also makes linking harder, sending URLs harder.

      Try it out today where the http: protocol is already stripped, both chrome and firefox are smart enough that when you cut and paste (or drag-and-drop) the address, the pasted data automagically contains the full URL, protocol included.

      • (Score: 1) by boltronics on Friday May 02 2014, @03:33AM

        by boltronics (580) on Friday May 02 2014, @03:33AM (#38735) Homepage Journal

        This is super frustrating behaviour too! Sometimes I want the entire URL, but other times I just want the domain name (eg. to copy it into an xterm to run dig against).

        Because I have to copy from the start of the string, browsers automatically add in the https:/// [https] at the start, so I have to go and delete that in the xterm manually, wasting any time saving the copy and paste operation may have gained. If this proposed change takes place, one may find themselves need to strip out other parts of the URL from the clipboard also, making the situation that much worse. Just show me the full text, and let me select the bits I want to copy myself - like in every other application!

        For those curious, the solution in Firefox is found in about:config, by setting browser.urlbar.trimURLs to false.

        --
        It's GNU/Linux dammit!
  • (Score: 2) by kebes on Thursday May 01 2014, @08:35PM

    by kebes (1505) on Thursday May 01 2014, @08:35PM (#38635)

    One way or another, it will make phishing attempts that much easier!

    Will it? The design in TFA shows just the domain name (e.g. "amazon.com"), so what's being hidden is the actual page address you're visiting (as well as the protocol, anchor, GET vars, etc.). Human attention/vision being what it is, hiding these other things will actually make the domain name more visible and thus make it easier to spot the difference between "amazon.com" and "amaz0n.com" or "arnazon.com". (Indeed many modern browsers highlight the domain name by putting the rest of the URL in grey-text.)

    I think there are lots of reasons to hate this idea (I routinely use the other parts of the URL to know where I am, or edit the URL to change a var or jump to another page), but I'm not sure that it will make phishing worse. When it comes to phishing, I would guess that the most important thing is deciding whether or not you trust the domain you've just jumped into (and the specific page within is less important). Am I wrong?

    • (Score: 3, Informative) by physicsmajor on Friday May 02 2014, @12:45AM

      by physicsmajor (1471) on Friday May 02 2014, @12:45AM (#38704)

      That sounds good until you realize that modern (and even not-so-modern) browsers are UTF-8 compliant.

      In the higher character codes there are many, many options which are almost visually indistinguishable from their Roman counterparts. Cyrillic is often used for this type of substitution attack. It's called an IDN Homograph, and nothing you do other than physically typing the URL using your own keyboard in a new tab will save you from it.

      http://en.wikipedia.org/wiki/IDN_homograph_attack [wikipedia.org]

      • (Score: 1) by jasassin on Friday May 02 2014, @12:54AM

        by jasassin (3566) <jasassin@gmail.com> on Friday May 02 2014, @12:54AM (#38706) Homepage Journal

        This was enlightening. I never knew about this and it's scary. Please mod parent up.

        --
        jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
      • (Score: 2, Interesting) by Aiwendil on Friday May 02 2014, @08:50AM

        by Aiwendil (531) on Friday May 02 2014, @08:50AM (#38810) Journal

        This tells us that what really is needed is a "red little 8"-icon next to the "padlock"-icon's place in the adress-bar when visiting a domain with utf8-characters.

        And maybe also a little icon that shows a flag of which country the server one connects to are located in..

        And also - for developers - something that prefixes the domain with its ip-adress (prefixes it like how TFA showed the domain to be displayed would be handy).

        More data is needed, especially if it can be made glanceable and ignorable.

        • (Score: 2) by physicsmajor on Friday May 02 2014, @03:04PM

          by physicsmajor (1471) on Friday May 02 2014, @03:04PM (#38932)

          Doesn't work, because while that might be a relevant indicator for those of us in a Roman-character world, it's meaningless for the rest of the international character universe because it's always on.

          The flag isn't a bad idea, but you can find this anyway if you want through extensions (and it's often not what you think). Also, botnets etc. can easily obfuscate their addresses behind bit.ly or goo.gl links (always a terrible idea to click these) which resolve to IDN homographs reaching compromised machines in one's home country. Not very hard to do this based on the country of the requestor...

          If it's ignorable, it's useless (see: Vista user access control). I've yet to encounter a glanceable solution that actually increases security generally, for all users. The only solution is physically re-typing the exact address you think you see, using your own keyboard.

          • (Score: 1) by Aiwendil on Friday May 02 2014, @03:23PM

            by Aiwendil (531) on Friday May 02 2014, @03:23PM (#38940) Journal

            I live in a country (sweden) where the alphabet has three non-roman characters, so I'm aware it would cause lots of false positives - but it would at least give a heads up, in regions where utf8-domains are the norm it probably could be best solved simply by having a "language-specific whitelist" that warns if any character comes from outside this set - we still would have the 1/i/L-problem however, but it would reduce the number of things that easily gets past the radar.

            I was pondering about that, and yeah, having a split (diagnoally) flag probably would be better, with one half for the domain one is connected to, and the other half from where the most content is pulled/where the first non-redirect is located.

            Never used vista so I have no idea how its access control works. But in general the idea isn't security but rather to make things easier to spot (thereby nudging the bar ever so slighty higher)

            If your requirement is for all users pretty much nothing works. Just for kicks try to design a system that would work for the following three users: 1) a blind user 2) a deaf user 3) stephen hawkings

            But as stated - the point isn't security but rather to raise the bar slightly (pretty much the same as with all selfsigned and expired certs - no as safe as a current and verified cert, but a lot better than plaintext [as long as you remember that nothing is safe])

            • (Score: 0) by Anonymous Coward on Saturday May 03 2014, @12:31AM

              by Anonymous Coward on Saturday May 03 2014, @12:31AM (#39130)

              I don't think there is a need for a warning (in the web browser), if the domain registrars simply do not allow letters in domain names that look like other letters... in the swedish .se example the letters they allow are åäö and various accents, they also allow hebrew letters but they are not allowed in the same domain name as the latin characters so there is no risk of them being used to look like another character.

              (the web browsers do have a white list of domain registries that prevent IDN homograph attacks, showing punycode for others)

              • (Score: 1) by Aiwendil on Saturday May 03 2014, @12:32PM

                by Aiwendil (531) on Saturday May 03 2014, @12:32PM (#39216) Journal

                Interesting info about what .SE allows in their names - thanks.

                I used swedish as an exmaple of false positive with a utf8 warning.

                (For a thing I've stumbled over in japanese)
                A fun case where I would appreciate a warning for utf8 would be in the cases of dash/minus/ichi/hyphen , they are four different signs, and even when reducing "visually similar" we still have the problem with ichi (unless we plan on either banning japanese numerals or allowing equal-sings (ni)).
                This problem is compunded by the japanese habit of using arabic numerals instead of their own even when writing in kanji (so it makes sense to keep the minus/dash sign when writing in kanji, it also makes sense to keep the non-formal ichi-symbol, and it makes sense to keep them separate (and to just disallow the non-formal ichi would cause problems with 'ni' unless one plans to allow equal-signs, and then we have the question of how odd dash and equal would look next to 'san')).

                Then again, in this specific case it probably would be better to simply enough write utf8 and ascii in different colours - which probably is a better solution to being with.

                So, I retract my idea of having a 'red 8'-warning and replace it with an idea of simply showing utf8 and ascii-characters in different colors (or regular/bold).

    • (Score: 2) by Reziac on Friday May 02 2014, @02:23AM

      by Reziac (2489) on Friday May 02 2014, @02:23AM (#38721) Homepage

      I've seen many, many phishing attempts that go to a perfectly legit domain that's been compromised, often with some long path to where they've hidden their nasties. Personal webspace on various ISPs is commonly so used, so the root may be something as well-known as, say, verizon.com. And then there are the lookalike domains, which the average person won't notice isn't for real, if only because they're not expecting it. Seen some of those in phish emails, too.

      Once upon a time, when FTP hacking was all the rage, I was looking for some file, found a link on Google, went there... longest path in the known universe and just the IP number showing in the address bar. Curious, I hied myself to the root, and found I was on Halliburton's FTP server. Which had at least a dozen different filedumps in its back reaches. Anyway, point is just because it's a known domain doesn't make it immune. Server security is better today, but still not perfect.

      --
      And there is no Alkibiades to come back and save us from ourselves.
  • (Score: 2, Insightful) by jcross on Thursday May 01 2014, @08:35PM

    by jcross (4009) on Thursday May 01 2014, @08:35PM (#38636)

    If they're still showing the domain, URLs should be equally easy to check for phishiness. Maybe even easier for Grandma without all the other URL cruft, e.g. something like "evil.io/www.yourbank.com/check-balance.jsp?un=Gra ndma" might not look as legit if presented as just "evil.io".

  • (Score: 2) by nitehawk214 on Thursday May 01 2014, @08:37PM

    by nitehawk214 (1304) on Thursday May 01 2014, @08:37PM (#38638)

    Goatse posters will rejoice at that suggestion.

    --
    "Don't you ever miss the days when you used to be nostalgic?" -Loiosh
    • (Score: 3, Insightful) by Appalbarry on Thursday May 01 2014, @10:45PM

      by Appalbarry (66) on Thursday May 01 2014, @10:45PM (#38669) Journal

      Goatse [cargocollective.com] posters will rejoice at that suggestion.

      (fixed that for you....)

  • (Score: 3, Interesting) by edIII on Thursday May 01 2014, @08:45PM

    by edIII (791) on Thursday May 01 2014, @08:45PM (#38643)

    Whoever comes up with that crap is fairly unsophisticated to say the least.

    Security through obscurity never works. More precisely, it works all the way up to the point that it doesn't, and then it's always catastrophic. So the idea is by not showing this to 99% of the people that the information is somehow protected from that 1% that can use a plethora of tools to reveal it.

    Assuming they could get the idea off the ground, there would be hordes of average web developers that won't give the URL a seconds thought anymore as a possible attack vector.

    Then you have the claim of greater usability. Only true if you have a very unsophisticated understanding of web technologies in the first place. Greater usability to the person is probably a minimalist approach showing no information that the lowest common denominator can't process and the use of strategic whitespace everywhere.

    This is about dumbing down the experience for most people and removing the extraneous crap. I guarantee you that if you put this person in a room with 10 engineers he will have reinvented web-tv in 1 hour.

    --
    Technically, lunchtime is at any moment. It's just a wave function.
  • (Score: 2) by maxwell demon on Thursday May 01 2014, @10:26PM

    by maxwell demon (1608) on Thursday May 01 2014, @10:26PM (#38666) Journal

    Since the upgrade to Firefox 29 today, this hyperlink anchor display has indeed vanished for me (although I have no idea whether it's because of some bad interaction from extensions rather than a genuine change of Firefox; anyway, the update broke that, and several other things, too).

    If it were not for the extensions, I'd consider switching browsers again. Except that I have no ideas to what; there seem to be no reasonable browsers left.

    --
    The Tao of math: The numbers you can count are not the real numbers.
    • (Score: 1) by NowhereMan on Thursday May 01 2014, @11:30PM

      by NowhereMan (3980) on Thursday May 01 2014, @11:30PM (#38685)
      Have a look at Pale Moon. It's based on FF and most extensions work. They are also keeping the current interface.

      http://www.palemoon.org/ [palemoon.org]
      • (Score: 0) by Anonymous Coward on Friday May 02 2014, @01:30AM

        by Anonymous Coward on Friday May 02 2014, @01:30AM (#38714)

        >They are also keeping the current interface.

        The best thing about it is, with just a few changes in the about:config section you can get back a similar FF 3.5 look and feel. And it's 64-bit.

        And they don't use the retarded version numbers as much as mozilla does (current is 24.5.0 at the time of this writing).

      • (Score: 2) by LookIntoTheFuture on Friday May 02 2014, @01:56AM

        by LookIntoTheFuture (462) on Friday May 02 2014, @01:56AM (#38717)
        "Have a look at Pale Moon. It's based on FF and most extensions work. They are also keeping the current interface.

        http://www.palemoon.org/ [palemoon.org]"

        Seconded. I started using it about a month ago, after using Firefox exclusively since it was called Phoenix. To me, it is what Firefox should be.
      • (Score: 0) by Anonymous Coward on Friday May 02 2014, @03:09AM

        by Anonymous Coward on Friday May 02 2014, @03:09AM (#38732)

        Pale Moon is an Open Source, Firefox-based web browser for Microsoft Windows...

        And that's where I stopped paying attention.

    • (Score: 2) by Reziac on Friday May 02 2014, @02:29AM

      by Reziac (2489) on Friday May 02 2014, @02:29AM (#38722) Homepage

      SeaMonkey is still decidedly old-fashioned....

      --
      And there is no Alkibiades to come back and save us from ourselves.
    • (Score: 1) by Magic Oddball on Friday May 02 2014, @08:33AM

      by Magic Oddball (3847) on Friday May 02 2014, @08:33AM (#38807) Journal

      A lot of Firefox extensions are also available for SeaMonkey these days, and a long list have been converted by Seamonkey forum members (they'll convert or help others convert any others on request):
      Modded Extensions for SeaMonkey [mozillazine.org]

      I switched over a few months ago now, and really wish I'd found out that it's a viable option before then -- it's what Firefox would have been like if the devs had focused on resource usage, stability, and useful features instead of trying to turn it into a crappy Chrome clone.

      • (Score: 2) by maxwell demon on Friday May 02 2014, @06:28PM

        by maxwell demon (1608) on Friday May 02 2014, @06:28PM (#39017) Journal

        Thanks, sounds great. I was once a SeaMonkey user, but finally had switched to Firefox because of the extensions issue. But if that has improved in the mean time, maybe I should try it again.

        --
        The Tao of math: The numbers you can count are not the real numbers.
  • (Score: 1) by Gavster on Friday May 02 2014, @01:59AM

    by Gavster (4280) on Friday May 02 2014, @01:59AM (#38719)

    Chrome already supports this by using an accelerated graphics overlay to display the link target: At least on Windows, once other applications try to make use of OpenGL it stops displaying in short order.

  • (Score: 2) by Bot on Friday May 02 2014, @02:52AM

    by Bot (3902) on Friday May 02 2014, @02:52AM (#38729) Journal

    You almost got it, next will be the removal of hyperlinks, so that navigation will resemble a slide show with the content decided by the browser maker. All in the name of making things easy, officially.

    --
    Account abandoned.
  • (Score: 1) by halcyon1234 on Friday May 02 2014, @01:10PM

    by halcyon1234 (1082) on Friday May 02 2014, @01:10PM (#38889)

    What next, will they remove the browser's display of an anchor's hyperlink so you have no clue where the link you might click goes?

    Well, they could always hide the Status Bar by default (or remove it as a feature all together). And then they could encourage everyone to use URL shortening services... perhaps by even automatically replacing all URLs server-side on most pages. And even if you look beyond the shorturl, you won't get an informative URL, because all hyperlinks are just n-deep layer of redirects to various click-trackers before finally reaching the destination.

    So in other words-- how things are right fucking now. =(

    --
    Original Submission [thedailywtf.com]