Google Puts Your Internet Security at Risk by Hiding Subdomains

Gavin Phillips 11-09-2018

The Chrome 69 update brought with it a raft of changes. Most were positive and well received. There were one or two eye-raisers, though. For instance, Google has unilaterally decided to remove certain important features of the familiar URL, in line with their overall reduction in clutter around the browser address bar.


Google claims the change only removes “trivial” characters that most people don’t pay attention to. But does removing the supposedly trivial characters actually increase your chance of landing on the wrong website? Let’s take a look.

Google Chrome 69 Removes “WWW” From URLs

Google Chrome 69 rolled out in September 2018 with a few interesting changes. Two things have grabbed the headlines:

  • Chrome 69 does away with the green “https://” protocol notifier, replacing it with a simple green padlock. The green padlock represents a secure, HTTPS site and is meant to make it easier to check if your data is secure quickly.
  • Also, as part of the same update, Chrome 69 drops URL subdomain information. In many cases, this means removing “www” from the 68 and chrome 69 url comparison

The first change makes sense, at least in some ways. Combining the “Secure” tag, the existing padlock, and the “https://” protocol notifier into a single padlock does make it easier for almost everyone to spot if the site is secure or not. And when you visit a site that isn’t secured with HTTPS, the “Not secure” notification still displays. (The “Not secure” notifier will turn red in Chrome 70.)

However, the flip-side is that HTTPS doesn’t automatically make you safe 7 Myths About HTTPS and SSL Certificates You Shouldn't Believe SSL certificates allow websites to encrypt and secure traffic, but there are many misunderstandings about how it works. Let's debunk them. Read More (albeit, you are safer), and “non-secure” sites will enter the internet-users psyche as dangerous places (again, this isn’t completely true 7 Reasons Your Site Needs an SSL Certificate It doesn't matter if you're developing a modest blog or a full e-commerce site: you need an SSL certificate. Here are some practical reasons why. Read More ).

The second change—to remove subdomain information from URLs—doesn’t make sense. Removing “www” from the URL is at best irksome and silly, and at worst could cause unsuspecting users to land on completely different sites. Worse still, Google removed the subdomains without mentioning it beforehand.


What Does Removing “WWW” From URLs Mean?

Subdomains are really important to how the internet functions.

On a basic level, “” and “” are different. They are different URLs, that could lead to different sites and even have separate DNS records.

The change also affects “m.” subdomains. For instance, becomes just regular but still shows the mobile site. The system works for Facebook. Other sites, not so much. Been to recently? Not likely, because it isn’t the Tumblr mobile site, despite how the URL looks. Rather, it is someone’s personal Tumblr domain How to Use Tumblr: 12 Useful Tumblr Tips for Beginners Here are the most useful Tumblr tips you need to know, including what is Tumblr, how to use Tumblr, and best practices for Tumblr. Read More , named “m.”

chrome 69 tumblr mobile site


“People have a really hard time understanding URLs,” Chrome engineering manager Adrienne Porter Felt told Wired. “They’re hard to read, it’s hard to know which part of them is supposed to be trusted, and in general I don’t think URLs are working as a good way to convey site identity. So we want to move toward a place where web identity is understandable by everyone: They know who they’re talking to when they’re using a website, and they can reason about whether they can trust them. But this will mean big changes in how and when Chrome displays URLs. We want to challenge how URLs should be displayed and question it as we’re figuring out the right way to convey identity.”

Why Shouldn’t Google Remove Subdomains?

The unexpected changes have met backlash across the internet. And for a range of reasons, too. Here are some of the main talking points.

1. Google Is Trying to Destroy the URL

Is Google using Chrome as an experimental URL-killing battleground? Some commenters think so. URLs are an important part of most internet users browsing experience removing the security that comes with a clear URL will expose more users to phishing attacks.

Despite what Adrienne Porter Felt said in the Wired interview, the “https://www.” aspect of a URL isn’t the difficult bit to read, it is just regular internet nomenclature that requires basic education. The difficult to understand bits of a URL come from the pathnames that follow the initial domain name, including cryptic file names and extensions.


Without being demeaning, the internet is a vital part of life and is now 25 year’s old. Learning to read and understand a domain name is important.

2. Google Wants AMP to Replace All URLs

Critics of Google’s AMP Project think that the move to obliterate subdomains from URLs, and therefore any Chrome address bar on any device, is a ploy to further the mobile optimizer. Google AMP essentially caches web pages and serves them as optimized mobile sites.

While many sites now have functional mobile sites, the AMP service basically forces publishers to let Google take control of their page views. Why would they do this? Otherwise, the publisher’s articles are extremely unlikely to appear in the Top Stories section of Google mobile search. Oh, and in the process, Google takes control of the monetization process, too. The user experience is great, mind, and it does cut down on malvertising and rogue advertising networks.

Google AMP critics posture that by hiding the “amp.” subdomain from users, Google will eventually funnel all web content through the service, ergo becoming the overlords of internet content. (As if they are not already.)


Reenable Subdomain Display in Google Chrome 69

You can reverse Google’s decision to remove subdomains from Google Chrome 69. Chrome has an experimental list of commands, known as “Flags.” The Easy Guide to Google Chrome This Chrome user guide shows everything you need to know about the Google Chrome browser. It covers the basics of using Google Chrome that is important for any beginner. Read More You can enable or disable flags to turn certain experimental settings on The 12 Best Chrome Flags to Upgrade Your Browsing Experience Chrome's Flags menu is a great place to find cool experimental features. Here are the best Chrome flags to check out. Read More and off. And to be fair, removing trivial subdomains from URLs is still an experiment.

Head to chrome://flags/#omnibox-ui-hide-steady-state-url-scheme-and-subdomains (you might have to copy and paste the link into Google Chrome, and the specific link only works if you are using Google Chrome 69). Using the dropdown box, select Disabled, then relaunch your browser for the change to take effect.

chrome 69 subdomain experimental flag disable

However, if you don’t want to make the change back but do want to double-check you’re using the correct URL, just click the Chrome address bar. The full URL will display, along with its (hopefully) https:// protocol notifier.

Is This the End of the URL as We Know It?

Back in 2013, Google ran an experiment in Chromium, Google’s open-source Chrome project. The “origin chip” experiment switched the traditional browser address bar for a cleaner design, shifting domain details (including bits like the issuing certificate authority) over to the right. The idea received a fair amount of backlash from Chromium users and didn’t continue for long, but that didn’t stop it appearing in Chrome 38 back in 2014.

The Wired article (linked earlier in this article) was telling in many ways. URLs are definitely set to change. Parisa Tabriz, director of engineering at Chrome, said that “Whatever we [Google] propose is going to be controversial […] But it’s important we do something because everyone is unsatisfied by URLs. They kind of suck.”

Whatever your view on URLs, Google doesn’t care. When the internet behemoth speaks, websites listen. Because if they don’t, they have a funny knack of failing to exist for much longer Why Google Was Fined: Antitrust and Technology Explored Google was fined $5 billion from the EU for anticompetitive practices. Why did this happen, and how is it similar to past cases? Let's find out. Read More .

Image Credit: sdecoret/Depositphotos

Related topics: Google Chrome, Online Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. dragonmouth
    September 11, 2018 at 8:36 pm

    Google has NEVER had the users' interests in mind. Whatever they did and do, they do to further their hegemony and increase their bottom line. It will be interesting to watch Facebook and Google fight it over who is going to control the Internet.