Google experimenting with hiding URLs in Chrome

Google experimenting with hiding URLs in Chrome

Summary: In an effort to make phishing attacks more evident to the user, Chrome Canary is taking a tip from iOS Safari, emphasizing the domain and hiding the rest of the URL.

TOPICS: Security, Google

Jake Archibald, a "developer advocate" for Chrome at Google, has blogged about how the "Canary" version of Chrome is now hiding parts of the URL in order to make phishing attacks more obvious to the user. Canary is an experimental version, used to test new features like this. The feature may or may not make it into release versions of Chrome.

The image below, from Archibald's blog, shows the main effect:


The upper screen grab is from a real bank site. The lower part is from a fake phish site created by Archibald for demonstration purposes. Chrome Canary shows only the domain part of the URL, followed by an empty box into which you can enter a URL or search term. They just don't show the directory or file names in the URL. This idea was inspired by similar changes in Safari by iOS 7.

The key to most phishing attacks is to get the user not to notice that the domain name is wrong. This feature is designed to help you notice. It works a lot better with EV (Extended Validation) certificates:


Once again, to emphasize, this is an experiment. Archibald is right that the rest of the URL is "noise" to most users and you can display the URL by clicking the origin chip (that's the box with the domain name, "" or "Morgan Stanley [US]" in the image above).

The idea is of course, controversial. While it may be in the interests of most users, there are others of us who look at URLs, and this feature makes that less convenient. Ari Palo suggests a compromise in which the URL is displayed, but blurred. He also suggests that Chrome flag domains that it knows to be good or bad.

The relevance of URLs to users has long been a controversial point. I once saw Tim Bernars-Lee speak and he urged developers to make URLs opaque (like "") so that users didn't get the idea that they could read anything into them. In such a system, there's no harm done by hiding the path and file name, but often the page does not give you the tools to get to other places and a careful and clever reading of the URL can be useful.

I also would argue that removing the path would be more acceptable if Chrome did a better job of displaying page titles, but as you can see from the images you get to see very little of the title in Chrome.

Space in and around the browser bar area is a scarce resource and Google needs to be careful and make utilitarian decisions sometimes. While I can imagine some form of this feature making it all the way to release, it's not going to be this version of it. For a mobile browser like iOS Safari with even less space, it may be reasonable to emphasize the most important aspect of the page. A desktop browser should show more.

Topics: Security, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Hope you can turn it off

    as a developer I actually need to see what is happening with the URL while debugging.
  • Bad idea

    I agree with Mac_PC_FenceSitter. Not only as I am a developer as well and debug some stuff with that, I actually tend to watch my URLs for any oddities.

    Additionally, this can backfire on some forum software platforms. The forum software of several big public forum platforms utilizes the makers URL, but each forum is completely separate sub-site... hiding that will make it difficult to sometimes tell which forum you are actually on at a glance.
  • Death of Chrome!

    Don't do it!
  • Thoughts

    First of all - URLs really should stop being for users. They are really a technical thing. They're important, yes, but the information surfaced is of no value to people like my parents. Only the parts that are shown in this experiment are really relevant to most users.

    Do people like Larry, Mac_PC_FenceSitter, pcheintz72, and myself need them? Yeah, but we're advanced users. We know enough to flip switches in options menus if we really need it. We're the minority.

    URLs are honestly technical, user-unfriendly things that I thought should have been either hidden from view or replaced with something better a long time ago.
    • URLs are not technical

      They might be too technical for my parent's generation, but most people do understand most of the components of URLs even if they are not an IT professional. My teenage nephews and nieces who have no technical knowledge of such things know how to identify the key components of a URL. We have to remember the current and next generations are more accustomed to URLs and not as mystified by them as previous generations.
      • just because people can be accustomed to it

        doesn't mean it's a good idea to keep doing it though. I'm not saying giving URLs the axe is a good idea, but "the kids are used to it" isn't a good rational to keep doing something on its own.
      • Sure they are.

        "They might be too technical for my parent's generation, but most people do understand most of the components of URLs even if they are not an IT professional."

        Common knowledge doesn't make something non-technical. And being known by teens doesn't really make something common knowledge, either.

        A URL is a series of characters put together into a specific pattern, and there's no good reason for this pattern to continue to exist 100 years from now. It's an awkward pattern, with each section of the pattern having specific technical meanings, many that really have no meaning to the user.

        I'd say that long term, we do need a replacement. The pattern should follow user needs, rather than being based on technical stuff that should be done elsewhere.

        Take, for example, "http" vs "https". This is shown by a lock (or a lack of a lock) in the browser. There is really no need anymore for this section of the pattern; it should be phased out, as it can really be handled by the back end and displayed in a user friendly manner (using the lock).

        Long term, I'd like to see something more akin to AOL's old concept of keywords. They weren't the perfect solution, but they were on the right track. In fact, URLs are headed this way if this trend of fading out and getting rid of irrelevant parts of URLs continues.

        . . . and considering the prevalence of phishing, I'd say that your teens are really a poor example of the state of people's current knowledge of URLs. They're an exception right now, not the rule.
  • I hope they don't do it.

    I can understand why they want to do it. But rightly or wrongly, the URL often has information in it that I want to see. Maybe they could leave the full URL there, but bold the domain?
  • what was wrong with the big green bar

    What was wrong with pushing for using EV certs? I would think (as the article points out) it would either be easier to see or simply obviously for fake sites.
  • Good idea

    Perhaps they could display the total URL as squeaky help? If power user wants to capture the entire URL, then also allow a right click copy/properties option? This offers minimal keystrokes for all and keeps the benefit of the original idea.

    User still needs to be able to type in a URL though when they already know it and don't need a search engine to find the site they are after.
  • Google will shoot themselves in the foot if they do this

    For one thing, YouTube URLs are important enough to be fully displayed. There are several other websites (e.g. forums, as mentioned in an earlier comment) where users need to see the full URL.
  • Extremely Bad Idea

    Just what is google upto these day?