Google Puts Your Internet Security at Risk by Hiding Subdomains
The Chrome 69 update brought with it a raft of changes. Most were positive and well received. There were one or two eye-raisers, though. For instance, Google has unilaterally decided to remove certain important features of the familiar URL, in line with their overall reduction in clutter around the browser address bar.
Google claims the change only removes “trivial” characters that most people don’t pay attention to. But does removing the supposedly trivial characters actually increase your chance of landing on the wrong website? Let’s take a look.
Google Chrome 69 Removes “WWW” From URLs
Google Chrome 69 rolled out in September 2018 with a few interesting changes. Two things have grabbed the headlines:
- Chrome 69 does away with the green “https://” protocol notifier, replacing it with a simple green padlock. The green padlock represents a secure, HTTPS site and is meant to make it easier to check if your data is secure quickly.
- Also, as part of the same update, Chrome 69 drops URL subdomain information. In many cases, this means removing “www” from the URL.
The first change makes sense, at least in some ways. Combining the “Secure” tag, the existing padlock, and the “https://” protocol notifier into a single padlock does make it easier for almost everyone to spot if the site is secure or not. And when you visit a site that isn’t secured with HTTPS, the “Not secure” notification still displays. (The “Not secure” notifier will turn red in Chrome 70.)
However, the flip-side is that HTTPS doesn’t automatically make you safe (albeit, you are safer), and “non-secure” sites will enter the internet-users psyche as dangerous places (again, this isn’t completely true ).
The second change—to remove subdomain information from URLs—doesn’t make sense. Removing “www” from the URL is at best irksome and silly, and at worst could cause unsuspecting users to land on completely different sites. Worse still, Google removed the subdomains without mentioning it beforehand.
What Does Removing “WWW” From URLs Mean?
Subdomains are really important to how the internet functions.
On a basic level, “makeuseof.com” and “www.makeuseof.com” are different. They are different URLs, that could lead to different sites and even have separate DNS records.
The change also affects “m.” subdomains. For instance, m.facebook.com becomes just regular facebook.com but still shows the mobile site. The system works for Facebook. Other sites, not so much. Been to m.tumblr.com recently? Not likely, because it isn’t the Tumblr mobile site, despite how the URL looks. Rather, it is someone’s personal Tumblr domain , named “m.”
“People have a really hard time understanding URLs,” Chrome engineering manager Adrienne Porter Felt told Wired. “They’re hard to read, it’s hard to know which part of them is supposed to be trusted, and in general I don’t think URLs are working as a good way to convey site identity. So we want to move toward a place where web identity is understandable by everyone: They know who they’re talking to when they’re using a website, and they can reason about whether they can trust them. But this will mean big changes in how and when Chrome displays URLs. We want to challenge how URLs should be displayed and question it as we’re figuring out the right way to convey identity.”
Why Shouldn’t Google Remove Subdomains?
The unexpected changes have met backlash across the internet. And for a range of reasons, too. Here are some of the main talking points.
1. Google Is Trying to Destroy the URL
Is Google using Chrome as an experimental URL-killing battleground? Some commenters think so. URLs are an important part of most internet users browsing experience removing the security that comes with a clear URL will expose more users to phishing attacks.
Despite what Adrienne Porter Felt said in the Wired interview, the “https://www.” aspect of a URL isn’t the difficult bit to read, it is just regular internet nomenclature that requires basic education. The difficult to understand bits of a URL come from the pathnames that follow the initial domain name, including cryptic file names and extensions.
Without being demeaning, the internet is a vital part of life and is now 25 year’s old. Learning to read and understand a domain name is important.
2. Google Wants AMP to Replace All URLs
Critics of Google’s AMP Project think that the move to obliterate subdomains from URLs, and therefore any Chrome address bar on any device, is a ploy to further the mobile optimizer. Google AMP essentially caches web pages and serves them as optimized mobile sites.
While many sites now have functional mobile sites, the AMP service basically forces publishers to let Google take control of their page views. Why would they do this? Otherwise, the publisher’s articles are extremely unlikely to appear in the Top Stories section of Google mobile search. Oh, and in the process, Google takes control of the monetization process, too. The user experience is great, mind, and it does cut down on malvertising and rogue advertising networks.
Google AMP critics posture that by hiding the “amp.” subdomain from users, Google will eventually funnel all web content through the service, ergo becoming the overlords of internet content. (As if they are not already.)
Reenable Subdomain Display in Google Chrome 69
You can reverse Google’s decision to remove subdomains from Google Chrome 69. Chrome has an experimental list of commands, known as “Flags.” You can enable or disable flags to turn certain experimental settings on and off. And to be fair, removing trivial subdomains from URLs is still an experiment.
Head to chrome://flags/#omnibox-ui-hide-steady-state-url-scheme-and-subdomains (you might have to copy and paste the link into Google Chrome, and the specific link only works if you are using Google Chrome 69). Using the dropdown box, select Disabled, then relaunch your browser for the change to take effect.
However, if you don’t want to make the change back but do want to double-check you’re using the correct URL, just click the Chrome address bar. The full URL will display, along with its (hopefully) https:// protocol notifier.
Is This the End of the URL as We Know It?
Back in 2013, Google ran an experiment in Chromium, Google’s open-source Chrome project. The “origin chip” experiment switched the traditional browser address bar for a cleaner design, shifting domain details (including bits like the issuing certificate authority) over to the right. The idea received a fair amount of backlash from Chromium users and didn’t continue for long, but that didn’t stop it appearing in Chrome 38 back in 2014.
The Wired article (linked earlier in this article) was telling in many ways. URLs are definitely set to change. Parisa Tabriz, director of engineering at Chrome, said that “Whatever we [Google] propose is going to be controversial […] But it’s important we do something because everyone is unsatisfied by URLs. They kind of suck.”
Whatever your view on URLs, Google doesn’t care. When the internet behemoth speaks, websites listen. Because if they don’t, they have a funny knack of failing to exist for much longer .
Image Credit: sdecoret/Depositphotos