Intention is irrelevant when the end result can wind up misleading. See google removing the "m" subdomain once upon a time. Also this move to hide the full url comes at the reliance of instead looking for a green shield or some type of lock icon in the URL bar to ensure you're on https as safari hides this too.
In regards to the https problem specifically, while safari will say you are browsing an insecure page if using http, they do it in a horrible way - by adding text to the beginning of the url bar. Certainly if you were trying to reduce url confusion, you would add a separate symbol and label! I can click insecure icon on chrome and other browsers to read more about how, but I cannot do so on safari -- so much for trying to reduce confusion.
> Also this move to hide the full url comes at the reliance of instead looking for a green shield or some type of lock icon
The move to hide the full URL is to make the URL readable for the average user. People on this site might know how to parse URL components in their head, but the average user does not inherently understand the DNS hierarchy nor do many completely understand URI delimiters.
would be a little better indicator that it isn't their bank.
The padlock is mostly useless in today's world. It was useful in a time when ecommerce was young and otherwise legitimate sites were collecting information via http. There was an attempt to make it more useful with extended validation certs, but that solution didn't really end up being effective. Phishers could still register EV certs that spoofed other names, and adoption was too low to change user behavior.
To be fair, Safari would truncate that to `secure.bankofamerica.com.0-0.pw`, so not necessarily much better . But also not any worse than showing the full URL.
Fair enough. I'm remembering back to the original proposal from the Chrome team who were going to truncate all subdomains for this reason. But I think they backtracked some on that.
I'm confused by your point. You are claiming the padlock is mostly useless in today's world, but it's actually even more important in the world of hiding the full URL.
Criminals today phish people, use HTTPS, and people have a false sense of security because of those who told them “padlock = good”. The padlock served a purpose to drive http adoption. It does more harm than good today.
Browsers should instead upgrade to https automatically on all connections.
> Also this move to hide the full url comes at the reliance of instead looking for a green shield or some type of lock icon in the URL bar to ensure you're on https as safari hides this too.
What's the problem with this?
> Certainly if you were trying to reduce url confusion, you would add a separate symbol and label!
Why? I'm not following what's wrong with Safari's approach. You're stating your conclusions but not your reasoning.
> I can click insecure icon on chrome and other browsers to read more about how, but I cannot do so on safari
In regards to the https problem specifically, while safari will say you are browsing an insecure page if using http, they do it in a horrible way - by adding text to the beginning of the url bar. Certainly if you were trying to reduce url confusion, you would add a separate symbol and label! I can click insecure icon on chrome and other browsers to read more about how, but I cannot do so on safari -- so much for trying to reduce confusion.