[simonkafan]

I still haven't found a good answer why they do this. "Makes it harder to tell if the current site is legitimate" sounds like an excuse. If you are the perfect target for a phishing attack (= clicks on everything, enters passwords everywhere, has no clue about host names) then you also won't be able to understand what Chrome presents you in the address bar after obfuscation.

My best explanation so far is that the Chrome team doesn't know how to improve their browser anymore so they just make up work to keep the software engineers busy.

[tyingq]

Trying hard not to sound like a conspiracy theorist. However, it's pretty obvious this benefits a walled garden strategy. With things like AMP, "rich snippets", etc, they keep eyeballs on Google owned properties longer. Slowly deprecating urls over time makes it less visually apparent.

AOL was able to sell "keywords" this way, because it wasn't always obvious to their users how to get to the real internet.

[Liquix]

It's not a wacky far-out conspiracy theory to notice that Google is attempting to dominate the internet. It's a serious problem that we need to do something about before it's too late.

[themacguffinman]

It is, however, a wacky far-out conspiracy theory to claim that Google is developing this feature for the purpose of internet domination.

The given purpose is phishing prevention, which is the same reason why this exact feature has been part of Safari for years yet no one pointed out that it was a nefarious attempt by Apple to takeover the web and further their walled garden.

[feanaro]

> It is, however, a wacky far-out conspiracy theory to claim that Google is developing this feature for the purpose of internet domination.

No, it's not. Are you aware that Google is mangling AMP URLs to make them look like original URLs and hide the fact that they are hosted by Google?

[themacguffinman]

Which has nothing to do with the feature discussed in this thread, which is to hide non-domain parts of the URL.

What you're referring to is the Signed Exchanges proposal.

[tyingq]

Splitting up your plan into discrete parts that seem relatively inert on their own isn't a new thing. ANFO is a good example.

And it's pretty easy to do this in a way that front line and low level MGMT Googlers wouldn't know.

The AMP lead, for example, has posted here, and seems credible and very competent for his own intentions. I'm not convinced he's totally aware of the intentions of his leadership chain.

[SifJar]

I think the justification is that some people will think the website is legitimate if a legit hostname appears anywhere in the URL e.g.

http://scamsite.com/microsoft.com/phish

"looks" legit because it contains the string "microsoft.com" (and most "regular" users won't appreciate the different parts of a URL); under the new scheme, that would display only as "scamsite.com" and hopefully people are less likely to enter their microsoft username/password if "microsoft.com" doesn't appear anywhere in the address bar.

I'm not overly convinced of this personally, but I think that's the supposed idea behind it.

[oneeyedpigeon]

I think microsoft.scamsite.com would fool most of the people that scamsite.com/microsoft would. It's a very difficult problem. Can't we have something like certificates for domains, so we can at least trust the most potentially vulnerable cases?

[judge2020]

If EV certificates were good they'd be great for showing alongside the URL, but they're both expensive for most (used to be $100/yr if you go for the cheapest vendor, now heavily discounted since the URL bar change made it lose value) and the legal entity verification doesn't work in a sense that company names aren't unique[0].

0: https://news.ycombinator.com/item?id=15904513

[tialaramex]

They (EV certificates) also don't do as much as you probably think they do. Or, I suppose, seen from a different angle, the actual dnsName matching does a lot more than you realise.

When you visit news.ycombinator.com obviously the browser confirms that the certificate presented is for news.ycombinator.com and not anything else. Because the machine does dnsName matches and machines are fast, it happens prior to every single transaction as necessary. In contrast EV information like company name can only be checked by a human, slowly, after a transaction already completed.

Suppose I hit this "reply" button to post this, but bad guys have just at that moment intercepted my network connection. The browser connects to news.ycombinator.com and... their certificate either isn't trustworthy or isn't for news.ycombinator.com and so this text is never sent to the bad guys at all.

But EV certificate details are only useful retrospectively. The browser can tell me after the fact that it posted the response to "Phishing Corp. Ha Ha Ha We've Got Your Data Now" but it doesn't actually know that's the wrong place so it won't abort the transaction.

For this and other reasons the entire EV design doesn't really "work" from a security point of view, and wasn't ever really intended to. It's a marketing idea, not a security idea.

[ColonelPhantom]

Firefox's approach actually doesn't have this issue, it highlights only the actual domain. So for microsoft.scamsite.com, scamsite.com would be highlighted, and the rest in a darker gray.

[UncleMeat]

One could hide the subdomain too (yes, I know there are cases where you have a different trust relationship depending on subdomain - but these are rare).

[IshKebab]

In my experience companies are pretty bad at always using their own domain even for legitimate things. I suspect it is because getting IT to do something like setting up a subdomain in any company I've worked in is virtually impossible, whereas buying a new domain is easy.

So I think most users wouldn't think something like `microsoft-it-support.com` would be suspicious.

[donmcronald]

This is a huge problem in government from what I've seen. In Canada, every province code has a longstanding two character .ca domain I think they all have a 'gov' 3rd level domain. For example, in Saskatchewan we have gov.sk.ca. However, instead of using that namespace, some departments go and register domains that look like phishing URLs. How about ehealthsask.ca for everyone in Saskatchewan to access digital health records instead of ehealth.gov.sk.ca? Yep, that's a thing.

It's pure idiocy. Instead of teaching the public that *.gov.sk.ca is a trustworthy, government run namespace everyone has their own domains and the general public is left to guess what's legitimate and what's phishing. Good luck with that.

And they all buy overpriced SSL certificates.

[tialaramex]

Yeah, this is very annoying. It's not every company, but it's enough different companies to be a problem.

PayPal (a company that more or less constantly moans about phishing) operated www.paypal-special.com which is a tremendously phishy-looking name, but it was a real PayPal site until they shut it down.

One nice side effect of WebAuthn binding credentials to a dnsName is that you can't change domain names without trashing all the credentials. It's mechanically impossible. So when yet another marketing genius wants customers to go to some-daft-marketing-idea.example instead of your-actual-website.example they can put fluff on that site if they want, but any sign-in or other credentials stuff will need to happen on your-actual-website.example anyway.

[texasbigdata]

From an advertising perspective if the cost to serve amp is less than ad revenue, this makes perfect sense. Every click on google goes to google, and you’ll like it too bc you won’t have a choice.

[untog]

> “Makes it harder to tell if the current site is legitimate" sounds like an excuse.

Why? To me, having helped elderly relatives with computers a lot, it is very plausible. Phishing URLs use all sorts of subdomain and querystring tricks to fool users, and it can work.

[neop1x]

As someone noted, not only that. But you won't see on which subreddit you are at for example. That's quite annoying.