Hacker News new | ask | show | jobs
by waboremo 1147 days ago
Intention is irrelevant when the end result can wind up misleading. See google removing the "m" subdomain once upon a time. Also this move to hide the full url comes at the reliance of instead looking for a green shield or some type of lock icon in the URL bar to ensure you're on https as safari hides this too.

In regards to the https problem specifically, while safari will say you are browsing an insecure page if using http, they do it in a horrible way - by adding text to the beginning of the url bar. Certainly if you were trying to reduce url confusion, you would add a separate symbol and label! I can click insecure icon on chrome and other browsers to read more about how, but I cannot do so on safari -- so much for trying to reduce confusion.
2 comments
kube-system 1147 days ago
> Also this move to hide the full url comes at the reliance of instead looking for a green shield or some type of lock icon

The move to hide the full URL is to make the URL readable for the average user. People on this site might know how to parse URL components in their head, but the average user does not inherently understand the DNS hierarchy nor do many completely understand URI delimiters.

    https://secure.bankofamerica.com.0-0.pw/login/securelogin.aspx
might look okay to a lot of people

    0-0.pw
would be a little better indicator that it isn't their bank.

The padlock is mostly useless in today's world. It was useful in a time when ecommerce was young and otherwise legitimate sites were collecting information via http. There was an attempt to make it more useful with extended validation certs, but that solution didn't really end up being effective. Phishers could still register EV certs that spoofed other names, and adoption was too low to change user behavior.

link
marcellus23 1147 days ago
To be fair, Safari would truncate that to `secure.bankofamerica.com.0-0.pw`, so not necessarily much better . But also not any worse than showing the full URL.
link
kube-system 1147 days ago
Fair enough. I'm remembering back to the original proposal from the Chrome team who were going to truncate all subdomains for this reason. But I think they backtracked some on that.
link
waboremo 1147 days ago
I'm confused by your point. You are claiming the padlock is mostly useless in today's world, but it's actually even more important in the world of hiding the full URL.
link
kube-system 1146 days ago
95% of the internet runs https.

Criminals today phish people, use HTTPS, and people have a false sense of security because of those who told them “padlock = good”. The padlock served a purpose to drive http adoption. It does more harm than good today.

Browsers should instead upgrade to https automatically on all connections.

link
marcellus23 1147 days ago
> Also this move to hide the full url comes at the reliance of instead looking for a green shield or some type of lock icon in the URL bar to ensure you're on https as safari hides this too.

What's the problem with this?

> Certainly if you were trying to reduce url confusion, you would add a separate symbol and label!

Why? I'm not following what's wrong with Safari's approach. You're stating your conclusions but not your reasoning.

> I can click insecure icon on chrome and other browsers to read more about how, but I cannot do so on safari

Read more about what?

link
waboremo 1147 days ago
There isn't a problem with the first quote.

In the second, Safari inlines the "not secure" to the URL but not in a visually clear way. It looks like "not secure" is part of the domain.

Read more about what the "not secure" and the padlock actually means.

link