Actually, that's their argument for doing it. Most users don't understand the different bits of a URL, to know whether it's from the site they think it's from. See (huge) previous discussion from two months ago: https://news.ycombinator.com/item?id=23516088
Personally, for my own purposes, I think hiding any bit of the URL is incredibly inconvenient. Already hiding the www. is seriously annoying. I will switch this new behaviour off and hope they don't remove that option.
If that's really their justification, then I wish they would take the approach that Firefox does - show the full URL but have the domain name in white and the rest of the URL in a muted color. It provides the full information as well as highlighting the most important info for spotting a phishing scheme.
I didn't notice Firefox does this before your comment. On my screen the domain is black and the rest of it is gray. Maybe it's because I don't have any kind of night mode thing on. I'm sure the colors would be inverted with that enabled.
It is not just inconvenient, hiding or modifying URLs is a lie and is a security problem. Hiding part of the URL means that you don't really see what's going on, and that is the first step towards a security problem, not away from it.
All of the TLS handshake configurations are hidden from your UI. It is hard to see "what's going on". You aren't shown a cert signature each time you request a page. Yet the lock icon doesn't get hate.
The non-domain information in a URL is useless for making security decisions for virtually 100% of users. If anything, it has negative utility since you can make URLs nearly arbitrarily confusing as part of a phishing attack.
I don’t understand, the lock icon gives you exactly the information you could want from that though? It tells you immediately if the site you are on is HTTPS, you don’t have to hover or anything. And if you want even more details (which is not something anyone does while they browse the internet, FWIW) you can also get that information too. This change hides the information that people actually expect that UI to have–that’s why there’s an option to in-hide it!
What if I want more information? I want to know what TLS version both parties negotiated. I want to know who signed the cert and when it expires. Etc. etc.
The point is that "the UI should express everything a power user could ever want to know about some security-adjacent property" is not the status-quo and people should not act like it is. Dropping to just domains is like shifting from a big blob of text including a ton of request information to just the lock icon. It distills it to something that covers basically all the information you'd ever actually need and is comprehensible to typical users.
I mean, I was upset when Google moved the certificate details from just click on the lock to click on the lock and go into developer tools and do some other bs I've forgotten since I'm no longer working where I need to confirm certificates. However, I figured that the number of people checking certificates was very small, so trying to use our weight to change Google's mind was fruitless. Fighting against hiding the URL seems a lot more tractable --- although, I just took it as a sign that Google doesn't want me to use their browsers, so I stopped.
I agree. But I'm afraid Google's solution is going to be along the lines of showing a green mark for anything served from their own servers, with the subtle implication that anything else is less trustworthy.
I didn't know there is an option to change it back, thanks for pointing that out. I've found it really frustrating when trying to copy different parts of the URL.
Just fyi, the google chrome plugin "Suspicious Site Reporter" reverts the url back to how it always was, with http:// and www and everything else. It's very lightweight and you can just leave it on, don't have to report anything or do anything with it.
Hopefully it remains this way _forever_, even with these newer changes as well.
Personally, for my own purposes, I think hiding any bit of the URL is incredibly inconvenient. Already hiding the www. is seriously annoying. I will switch this new behaviour off and hope they don't remove that option.