Removing www and https:// poses security concerns
Google has removed www., m., and https:// from the Chrome browser’s internet address bar in a contentious change that has prompted a backlash from the cybersecurity community.
In September last year, Google stripped these elements from the address bar in Chrome 69 to simplify URL presentation.
However, the changes were rolled back after developers criticized the removal of what Google, at the time, described as “trivial subdomains”.
On July 30, Emily Schechter, product manager of Chrome Security, said that URL components deemed “irrelevant to most Chrome users” have once again been removed in Chrome 76.
“The Chrome team values the simplicity, usability, and security of UI surfaces,” Schechter said.
“We plan to hide ‘https’ scheme and special-case subdomain ‘www’ in Chrome omnibox on desktop and Android in M76.”
To view a full URL, users must now click the address bar once on mobile and twice on desktop.
Google is also planning to incorporate display guidance into the web URL standard and is working on a Chrome extension that does not mask URLs to help “power users recognize suspicious sites and report them to Safe Browsing.”
Omnibox or omnishambles?
Google says that simplifying the omnibox is of benefit to users, but a year after the changes were originally proposed, the removal of these elements remains controversial.
Google and web developers are clashing due to the absence of a standard approach that would ensure DNS settings for www. and root .domains always point to the same content.
Rather than simplifying addresses, some believe that slicing away prefixes may end up actually complicating matters.
Accidental obfuscation and masking of domains creates another area of concern.
The Chrome browser now displays the “not secure” warning when a user visits an HTTP website, but this alone will not stop cyber-attackers from taking advantage of any confusion, which may result in a rise of successful phishing attacks and the use of malicious domains.
Those without a thorough knowledge of the web may also become more susceptible to such attacks.
As noted by one developer on the Chrome bug tracker: “Claiming this is being done for security is plain wrong, it doesn’t help prevent phishing attacks, in my experience it will create more confusion and make it more likely for a user to connect to the wrong site”.
Google appears to be going to great lengths to push the changes through, despite the concerns of the security community. As a result, some have also questioned the tech giant’s motives.
It has been suggested that eradicating URLs altogether may be the goal. If the omnibox becomes an address bar, requests to visit sites will be sent via Google, which could boost ad revenue.
This theory may be given further credence given Google’s apparent willingness to push through a change it has previously been obliged to abandon.
“Chrome's dominance means it can be pushed through, but really is an incredibly poor approach to [the] development of standards in general,” another user on the bug tracker says.
However, not every security professional believes the proposed changes will be detrimental to consumer security on the web.
“We actually believe this is not a major issue,” Josh Lemos, vice president of research and intelligence at BlackBerry Cylance, told The Daily Swig.
“We’ve found that the ‘NOT SECURE’ indicator is more informative for users, rather than the HTTPS”.
“Other protocol schemas still display in the address bar,” Lemos added.
“Also, the ‘www’ subdomain has long been extraneous; this would be a huge issue for phishing if it were used on all host subdomains, but that’s not what Google is doing with the new approach.”
The Daily Swig has reached out to Google for comment. The article will be updated as and when we receive a response.