Mac user and web dev here - I appreciate a lot of things about the philosophy behind Safari, but I've lost untold hours to debugging and working around inane Safari bugs. It is truly the modern equivalent of IE for front end devs.
It also makes my blood boil that Safari both hides the full path of the URL you're currently visiting and doesn't implement the standard practice of giving you a preview of the full URL you're about to visit when you hover over a link. These are horrible choices for usability and security, especially at a time when phishing is so productive.
> Safari both hides the full path of the URL you're currently visiting and doesn't implement the standard practice of giving you a preview of the full URL you're about to visit when you hover over a link
Safari has both of these. Safari > Settings > Advanced > Show full website address, and View > Show status bar.
Moreover, I don't think either of them help out with phishing. The intention behind not showing the full website address is specifically to stop phishing, since it puts the emphasis on the domain name. (Is there a phishing situation where someone could spoof the domain name? Maybe, but I imagine in that case, they could spoof the rest of the URL as well). As for the status bar, I don't think anyone would look at it even if it was enabled by default.
Even assuming these features would help stop phishing (which I don't agree with), you can't make every single feature super easy and obvious. In addition, you can't infer anything about a design from a single user's experience with it.
And frankly, the Settings window and the View menu are not obscure places to put these options. Those are the first places you should look if you're in a Mac app and want to configure the UI.
If Safari was a 1:1 clone of Chrome but without (probably) sending my stuff to Google, I'd be all over it. Millions of other Mac users too. Instead I'm using Chrome on Mac just to get many websites to even work.
Why do we need yet another one clone of chrome? The majority of noticeable browsers nowadays are chrome clones. If you do not want to use chrome due to sending data to google, you can use chromium, brave, vivaldi, opera...
Parent commenter here. Before submitting that comment I literally checked once again to try and find these settings. I looked through the General, Tabs, Security, Privacy, and Websites settings. It didn't occur to me to look in Advanced for a display setting. I also looked through View, but never would have guessed that "status bar" is the name for the link preview feature.
The intention behind not showing the full website address is specifically to stop phishing, since it puts the emphasis on the domain name instead of misleading paths. As for the status bar, I don't think anyone would look at it even if it was enabled by default.
Intention is irrelevant when the end result can wind up misleading. See google removing the "m" subdomain once upon a time. Also this move to hide the full url comes at the reliance of instead looking for a green shield or some type of lock icon in the URL bar to ensure you're on https as safari hides this too.
In regards to the https problem specifically, while safari will say you are browsing an insecure page if using http, they do it in a horrible way - by adding text to the beginning of the url bar. Certainly if you were trying to reduce url confusion, you would add a separate symbol and label! I can click insecure icon on chrome and other browsers to read more about how, but I cannot do so on safari -- so much for trying to reduce confusion.
> Also this move to hide the full url comes at the reliance of instead looking for a green shield or some type of lock icon
The move to hide the full URL is to make the URL readable for the average user. People on this site might know how to parse URL components in their head, but the average user does not inherently understand the DNS hierarchy nor do many completely understand URI delimiters.
would be a little better indicator that it isn't their bank.
The padlock is mostly useless in today's world. It was useful in a time when ecommerce was young and otherwise legitimate sites were collecting information via http. There was an attempt to make it more useful with extended validation certs, but that solution didn't really end up being effective. Phishers could still register EV certs that spoofed other names, and adoption was too low to change user behavior.
To be fair, Safari would truncate that to `secure.bankofamerica.com.0-0.pw`, so not necessarily much better . But also not any worse than showing the full URL.
Fair enough. I'm remembering back to the original proposal from the Chrome team who were going to truncate all subdomains for this reason. But I think they backtracked some on that.
I'm confused by your point. You are claiming the padlock is mostly useless in today's world, but it's actually even more important in the world of hiding the full URL.
Criminals today phish people, use HTTPS, and people have a false sense of security because of those who told them “padlock = good”. The padlock served a purpose to drive http adoption. It does more harm than good today.
Browsers should instead upgrade to https automatically on all connections.
> Also this move to hide the full url comes at the reliance of instead looking for a green shield or some type of lock icon in the URL bar to ensure you're on https as safari hides this too.
What's the problem with this?
> Certainly if you were trying to reduce url confusion, you would add a separate symbol and label!
Why? I'm not following what's wrong with Safari's approach. You're stating your conclusions but not your reasoning.
> I can click insecure icon on chrome and other browsers to read more about how, but I cannot do so on safari
I love safari for my phone, but I prefer brave for my browser just because I still think chromium is the best browser, and brave has excellent security features. Plus its how I found this website, when you type "news" in the search bar it automatically re-directs you here.