back to article You'll hate Google's experimental Chrome UI, but so will phishers

Phishers might have a tougher time hooking victims if a new feature introduced into the experimental strain of Google's Chrome browser makes it into a future full release. The "origin-chip" feature cleans up Chrome's omnibox – or address bar – by removing lengthy URLs and replacing them with just the domain name shorn of "http …

COMMENTS

This topic is closed for new posts.
  1. Dan 55 Silver badge
    Stop

    Stop this madness now

    Having a domain name highlighted in a different colour isn't good enough?

    It's only a matter of time before all controls are replaced with a single big red button which says 'Do stuff'. With beautiful detailed rounded corners, of course.

    1. BillG
      Joke

      Re: Stop this madness now

      It's only a matter of time before all controls are replaced with a single big red button which says 'Do stuff'. With beautiful detailed rounded corners, of course

      If it has rounded corners, Apple will sue.

    2. ThomH

      Re: Stop this madness now

      You mean until they decide that colours, corners and obvious buttons are too distracting and turn it into a discreet 8x8 pixel monochrome button that shows up only if you mouseover?

      1. Anonymous Coward
        Anonymous Coward

        Re: ThomH

        And to make it even better, change the icon from a well known, 20 year old pictorial reference of a button, to a back flipping orangutan, because focus groups considered it a more appropriate reference image.

        (The reference is to Windows 8 settings icons not matching anything else remotely related to settings, printers, screens or this planet)

      2. h4rm0ny
        Joke

        Re: Stop this madness now

        >>"turn it into a discreet 8x8 pixel monochrome button"

        Which people will still claim looks better on their post-Retina resolution iPad 8.

        Might as well throw in a serious point whilst I'm posting:

        "Browsers stopped showing the username / password part of URLs because it made phishing too easy. This is a natural progression."

        I don't want my browser to hide the username / password part of the URL. If it does that, how will I know to back away from the astonishingly stupid site and never go there again?

    3. Oninoshiko

      Re: Stop this madness now

      Just highlighting the domain in a different colour is what I thought the moment I saw this. It's really the perfect compromise, why didn't they realize that?

    4. Anonymous Coward
      Anonymous Coward

      Re: Stop this madness now

      Hey, we already have that button, or so our clients seem to think when they bring in a complex proposal and expect it to be done five minutes ago!

    5. R 11

      Re: Stop this madness now

      That demands the domain name actually be shown in a different color which at present necessitates a much more expensive certificate. Or are we to have a rainbow of colors for those using EV SSL and those using plain SSL and those that are unencrypted and those with an expired certificate? Meanwhile users see the phishing domain name beside a secured padlock that they've been taught means the connection is encrypted.

      Personally, I think that so long as this can be (1) turned off, and (2) when clicked on shows the full URL, it's potentially a good thing.

      1. Oninoshiko

        Re: R11

        What I'm saying is, the browser should just highlight the text that is the part of the URL that is the FQDN. This is completely independent of what the certificate says it is valid for (assuming there is a cert at all. This should work without a cert)

        EDIT: someone below pointed out they do this already (FQDN in black, rest in grey). Apparently though the contrast is not enough for my aging eyes :(

  2. Anonymous Coward
    Anonymous Coward

    Good thing

    For the feeble-minded, tech-oblivious people. The people who don't need this will find the option to disable it.

    1. auburnman

      Re: Good thing

      While there is an option to disable it. Chrome has a habit of 'streamlining' things by burying options they don't want used ten sub-menus deep (e.g. Import/Export bookmarks from HTML. Used to be only a click away and easy as mince, but then came along 'store your settings in the Cloud by signing up for a Google+ account...)

    2. Michael Habel

      Re: Good thing

      For the feeble-minded, tech-oblivious people. The people who don't need this will find the option to disable it.

      Well barring for the moment, that this is in fact an article for Google's Chrome browser. I think you might find the ability to either "disable", or to "revert" becoming ever more challenging upon each new weekly release of a certain other browser, that trying its damnedest to be Chrome.

    3. Sorry that handle is already taken. Silver badge

      Re: Good thing

      How does being ignorant regarding a certain technology make you feeble-minded?

      1. JDX Gold badge

        Re: Good thing

        >>How does being ignorant regarding a certain technology make you feeble-minded?

        Nerds like to feel superior to people just like everyone else with self doubt issues, they just have to work harder to find anyone to look down on.

  3. poh

    If this change ever does get taken up, perhaps it will finally encourage phishers to make better use of homograph attacks.

    1. h4rm0ny

      >>"If this change ever does get taken up, perhaps it will finally encourage phishers to make better use of homograph attacks."

      Is it me or is there a note of disappointment in your post at the technical lack of phishers today? It almost begs for a follow on sentence beginning: "In my day, we'd spend hours researching the CEO's personal life to craft the perfect Spear Phising attempt. And we'd have to handle the SMTP transfer manually. At both ends!"

  4. DrXym

    Anti-phishing could be done in other ways

    e.g. putting the domain in bold, or by hilighting a url in a warning colour if it contains fragments of other domains in its user / pass or path.

    1. Test Man

      Re: Anti-phishing could be done in other ways

      The domain is ALREADY in bold.

      1. DrXym

        Re: Anti-phishing could be done in other ways

        The domain is shown in black, not bold. The remainder of the path is shown in grey. The protocol is only shown if its https (in green for valid).

        1. Stuart Elliott

          Re: Anti-phishing could be done in other ways

          Well, I've had to go and look, been using Canary for months, and yes, you're right it's black, and the rest of the URL is grey, but if you hadn't told me it was the case I'd never have noticed, so obvious fail on the UI there...

      2. Richard Cranium

        Re: Anti-phishing could be done in other ways

        @TestMan

        Well I'd not noticed 'till today, both FF and Chrome show the domain in solid black and grey the rest. (Apparently other browsers are available for the less tech savvy who would benefit most so I checked MSIE10 YES! and Safari (Windows vsn) NO!)

        Now surely someone can find a tweak buried somewhere in FF/Chrome to make domain bold red.

        1. JDX Gold badge

          Re: Anti-phishing could be done in other ways

          They still make Safari for Windows?!

  5. stanimir

    Overall it smells like: the URLs are unneeded as we (google) deliver them for you now (and whoever pays adsense and the likes)

    1. Dave 126 Silver badge

      You're right, Google takes money from people who wish to scam the general public. Take this example, where I searched Google for EHIC. This is a card it is prudent for me to have when travelling to EU countries other than my own, since it represents a reciprocal healthcare agreement between EU member states. It is free of charge from the UK government. The first three results are:

      The European Health Insurance Card has replaced E111. Apply Online.

      www.e111.eu/‎

      This is effectively a scam, since they will try and charge me £20 for applying for the free EHIC card on my behalf.

      Apply for a free EHIC card - Healthcare abroad - NHS Choices

      www.nhs.uk/NHSEngland/Healthcareabroad/EHIC/.../about-the-ehic.asp...‎

      This result might be legitimate, but I can't tell from the Google page, since the address is truncated.

      European Health Insurance Card (EHIC)

      https://www.ehic.org.uk/‎

      This site is legitmate, but a lay user might find it simpler to tell if it ended with .gov.uk

      * * *

      Scam sites similar to the first result exist for other UK Gov services, such as passports and driving licenses.

      Of course, user education is a part of the solution... perhaps by including a clear and simple message on all Government letters about .gov.uk sites.

      Another part of the solution would to tell Google that if they wish to operate in the UK they shouldn't be complicit in scamming UK citizens. The government's role is, in part, to play shepherd against the wolves of free enterprise.

      1. DaLo

        But why are they a scam?

        Yo and I might consider them a scam, but what defines that? The post office do the same thing, they will charge you to apply for an EHIC card because they also offer a "check and send service" the same as these companies.

        There are also visa agencies across the world who will process visa applications for you for a fee when you could get them cheaper or free elsewhere. The difference is they provide a service where they know the easy way to do bulk applications, not get hit by further bureaucracy from banana republics, get visas quickly or get 'enhanced' visas to visitors.

        Many people will use these services and pay the premium knowing about the alternatives because they do sometimes provide a valuable service.

        So should Google ban a legitimate service? Should they decide which ones they feel provide sufficient extra value? Should they ban the Post Office from doing this service?

        Or should they just wait until a court/trading standard etc decide they are illegal and then remove them?

      2. Gav

        "Wouldn't use them myself" <> scam

        Your problem is you are labelling something as a scam, simply because you see no value in it, and wouldn't use it personally. These can be legitimate services that some people may wish to pay for. Some people hate, or are bad at, form filling. Some people have literacy problems, or do not feel comfortably fluent enough in any applicable language. Some people are just lazy/busy. All may want "an expert" to do it for them and are happy to pay for that.

        The example you give looks to me to be quite upfront about what they are doing, and what you can get for free elsewhere. It may "fool" some people into thinking they have to pay and are doing it through official channels, but only if those people don't read what's in front of them in plain language. And maybe those are exactly the people who maybe can't be trusted to fill in the form themselves.

        However you are correct, there are other far shadier outfits doing this, or similar, that do amount to scams.

        1. DrXym

          Re: "Wouldn't use them myself" <> scam

          "Your problem is you are labelling something as a scam, simply because you see no value in it"

          No they are scam because they charge people money for something people can have for free. They're a scam because they use adwords and search engine optimization to divert people away from the official site so they can skim a fee out of people.

          1. Anonymous Coward
            Anonymous Coward

            Re: "Wouldn't use them myself" <> scam

            For that matter you might label accountants as scammers because they charge you to file taxes where you could do it for free yourself.

            Many of these crews are scammers, but not all.

            1. Anonymous Coward
              Anonymous Coward

              Re: "Wouldn't use them myself" <> scam

              I can stand in front of any store, office or station and ask for a fee for you to enter... If I never say your obliged to pay me, and never say I'm acting on the stores behalf... have I done anything illegal or dishonest?

              No.

              Have I done anything of value?

              No.

              Thus while not a lie, I was a "scam" as I appeared to be acting on behalf of the store, office or station to take fees for entrants/users/services. When in fact, I was pretending to be a middleman. At the least I was pointing to a door to guide you to a destination you already saw. At least windscreen washers actually DO wash the windscreen, instead of asking for a fee when it rains. :P

          2. Wibble

            Re: "Wouldn't use them myself" <> scam

            Also... They're a scam because they employ considerable passing off techniques; similar typography and design (much like grocery manufacturers to to market leaders).

            If they're morally dubious and adding no value, then they're they're probably scammers.

            This is now getting more mainstream coverage in the UK -- for instance Money Box on Radio 4. From what I see of this change to the market-leading web browser -- Chrome -- this is simply going to aid the scammers, so expect a lot more of the "I've been conned" stories in the future.

  6. Anonymous Coward
    Anonymous Coward

    pointless

    This assumes that those who're not tech savvy will see what happens to that second URL and realize they're on a fake site. I very much doubt that.

    Anything short of a big popup warning 'This site may be a fake' won't be understood.

    The problem with dumbing down, hiding the full URL and so on is that over time, the average web user is going to become further and further removed from the actual workings of the web - even the basics of what a URL is and how to enter it directly into a browser by typing. The URL bar will go completely next, as users just follow links from Google and don't need to type or see the raw URL. I suspect this is really where Google is going with this - even more control over how users get to their destinations.

    1. Steve Graham

      Re: pointless

      It's common for people trying to get to a web site to type the address into the Google search box, rather than the address bar. It's difficult to overestimate how clueless the average user is.

      1. stucs201

        Re: search box / address bar

        What I really hate are browsers that merge them. I like to be certain that what I intend as a url is treated as a url and what I intend as a search be treated as a search.

        1. Anonymous Coward
          Anonymous Coward

          Re: search box / address bar

          I wish I could upvote you again.

        2. Anonymous Coward
          Anonymous Coward

          Re: search box / address bar

          Well, google's browser is always going to do that: as far as it is possible they want everything you type to be a search so that get to see it. If you don't want that you need to use a browser which isn't Chrome (which you probably are doing).

          It's also significant that this "show the domain part of the URL" thing is happening too late for many purposes: by the time you realise that the site you have just visited isn't where you thought it was it is very often too late: they've already seen you. What you need is for the domain to be obvious before the browser actually starts talking to the server, and (for instance) google search results don't seem to do that very well, which isn't actually very surprising I suppose. Of course, it can still, perhaps, save you from further trouble.

      2. Tom 13

        Re: people trying to get to a web site to type the address into the Google search box

        Only started happening after Google introduced the feature in their search tool. Before that even the most clueless user LEARNED the difference.

        Where's the icon GET OFF MY LAWN icon for us old farts?

      3. Fatman

        Re: pointless

        It's difficult to overestimate how clueless STUPID the average user is.

        FTFY!!!!

    2. DaLo

      Re: pointless

      "the average web user is going to become further and further removed from the actual workings of the web"

      That started with DNS and then later with multihomed clients in HTTP 1.1 - no longer can you be sure of typing in your trusty 173.194.41.151 address to get to google search you get abstracted out to google.co.uk and don't get to even see the original IP.

      However most people would think it is a good thing, but the web will continue to evolve into abstracting the inner workings away from the user as it transitions into a simple consumer tool.

    3. Dave 126 Silver badge

      Re: pointless

      >Yo and I might consider them a scam, but what defines that? The post office do the same thing, they will charge you to apply for an EHIC card because they also offer a "check and send service" the same as these companies.

      The Post Office charge a modest fee for their trained staff to VALIDATE (not VERIFY) your passport application as you wait, so that obvious errors (unfilled fields, signitures beyond the boundry box, you resemble your photo etc) don't result in a delay of several days.

      You are comparing that to Web Form Vs Web Form + £20?

      Okaay....

      >Your problem is you are labelling something as a scam, simply because you see no value in it, and wouldn't use it personally.

      Ditto. And... I have a problem?

  7. Sander van der Wal
    Facepalm

    Don't use Chrome?

    1. stanimir
      Devil

      ...and lo 'n behold the rest of the browsers are to follow suit.

      1. Gavin King
        Joke

        Hogswash --- I doubt very much that Lynx will ever do this.

  8. Anonymous Coward
    Anonymous Coward

    Since i scan every url i "might" click looking for malformed urls that take me to advertisers or phishing sites i think it's a good move. You can read more about the way i scan urls at

    http://www-theregister.co.uk/readallaboutit/

    i think.

  9. PaulR79

    Never click links for banks etc in emails

    I have received some emails from my bank that are legitimate and then I've also received a lot of phishing emails claiming to be my bank. I treat them both the same and check all URLs by hovering over with the mouse. If, after that, I'm still uncertain I'll manually enter the website address in my browser. If there isn't anything relating to the email when I login then I'd assume it's a phishing email and forward it to the bank's phishing email address.

    1. Anonymous Coward
      Thumb Up

      Re: Never click links for banks etc in emails

      Yes, couldn't agree more. Set your mail client display content in plain text too. It's much harder to hide iffy links that way.

    2. Arctic fox

      @PaulR79 "Never click links for banks etc in emails"

      Indeed. However, I would further. If my bank were to be so brain-dead as to send me an e-mail that required any kind of active action by me they would get the most tremendous rocket from me over the phone. In all fairness they have shown no signs of doing anything like that.

      1. DaLo

        Re: @PaulR79 "Never click links for banks etc in emails"

        Banks do this all the time. Ever had a phone call from your bank that starts "I just need to ask you some security questions to confirm your identity"?

        Also (in the UK) with the 3Dsecure standard. Notice the web address that you get redirected to is not your bank, or visa/mastercard, or the original site. Yep it's just a 'random' address with the word secure in it that you have to trust is not the site you were on trying to phish your information (or someone else inserting themselves in the middle).

        When you look at the OTT requirements of the PCI standards and compare it with the insecure workings of the bank it makes you wonder if it's "one rule for them and one rule for the rest of us".

        1. Anonymous Coward
          Anonymous Coward

          Re: @PaulR79 "Never click links for banks etc in emails"

          I keep the login URLs to all web services along with the passwords; and always use my local link to get to the site. Makes me near-impossible to phish even if I'm not concentrating.

        2. peter_dtm

          @DaLo : Ever had a phone call from your bank

          Ever had a phone call from your bank

          yup & they get asked who what and why; and I refuse point blank to discuss anything other than why they have called me and the fact that THEY have called me; and the fact that it was YOU who called me so no I am not going to do ANY security with them; nor am I going to call back any number they ask me to either. I do tell them that I will phone on the relevent 0800 number so I need their name & reason for the call.

          I then phone back on the 0800 number for my bank's general enquiries and ask to be put through to who ever is trying to contact me

          Score so far :

          3 that were genuine

          2 that were sales (with resulting complaint made at the time and by secure email) - sales calls are not of course any reason for having security; I actually consider them to be scams ...

          1 that had the bank go charging off soemwhere else to shut down some scam or other .

          My bank tends not to phone me now; except by express invite

        3. Tim Bates

          Re: @PaulR79 "Never click links for banks etc in emails"

          "Banks do this all the time. Ever had a phone call from your bank that starts "I just need to ask you some security questions to confirm your identity"?"

          I hate those. I don't even suggest I'll call back. If it's important, they find a way to ID themselves to you. And if they can't do that, they tend to revert to old fashioned paper in the mail.

      2. Spanners Silver badge

        Re: @PaulR79 "Never click links for banks etc in emails"

        I'm fairly sure that I read a story here that some bank had done this.

      3. Richard Cranium

        Re: @PaulR79 "Never click links for banks etc in emails"

        You are right but in effect the (some?) banks do this when they phone you.

        My bank has called a couple of times to check "suspicious activity" on my account (usually it's legitimate activity but outside my normal spending pattern). First thing they do is ask a question to confirm they are speaking to the right person - a scammer could use that approach to harvest details from you. In reality it is I who should be asking a question to confirm who they are, and that's what I do. Even then their standard answer is problematic: "call back using the number on the back of your credit/debit card and quote reference..." If it is a scammer they don't put the phone down so you "redial" but the line hasn't dropped and you are still connected to the original caller. If you are alert you can check, if you've not got a dialling tone the line is still open.

        1. DaLo

          Re: @PaulR79 "Never click links for banks etc in emails"

          " If you are alert you can check, if you've not got a dialling tone the line is still open."

          Ahh, but they play an artificial dialling tone down the line until you press the first digit. Another way to check is to dial a different number and see if that "goes through to the bank" or just see if a human answers when you call - as no bank ever answers its phone until you gone through at least twenty layers of menu options first.

    3. silent_count

      Re: Never click links [snip] in emails

      Security-by-mouseover

      [a href="dodgy-site. com" onmouseover= "status.text='YourBank. com';"] visit YourBank. com [/a]

    4. Tom 13

      Re: Never click links for banks etc in emails

      I don't even hover over the links. If they want me to do something, I either type it in myself or I use my locally stored bookmarks.

  10. Aebleskiver

    I've been getting disillusioned with the direction of both Chrome and Firefox in recent times... I switched to SeaMonkey recently and I'm really enjoying. No intention to dumb down, idiotize or ruin the interface...

    1. stucs201

      Looks quite nice from screenshots. Only thing I'd change would be a search box, rather than a button.

      I'm also starting to use Avant more too. Also has options for a less dumbed down interface (though with a rather different menu structure than I'm used to). The other nice things about this one is being able to switch between the IE, Firefox and Chrome rendering engines as needed.

      1. Not That Andrew

        SeaMonkey still has a search box, just customise the toolbar and add it in

    2. Cryo

      Don't forget Opera. They took their awesome feature-packed Internet suite and replaced it with an almost featureless reskinned Chromium last year, effectively removing any reason to use it over any other Chromium-derivative.

  11. Charlie Clark Silver badge

    Not new

    This has been in Opera for several years and is configurable. The default used to be to dumb the URL down completely but this was reversed as to hard to work with. Subdomains and paths in grey with the domain black which works fine for me.

  12. NT1

    No point...

    Putting the root domain in blue bold would show feeble users which part is the secure important bit while the rest of the line in black normal for less feeble users.

    Bury the option to turn this new feature on where less feeble will ignore it and more feeble will never know it exists... what's the point? It may as well not be there...

  13. Tannin

    I was going to say that the right answer is to educate the users.

    But then, earlier today, I had two customers in a row who honestly didn't understand the concept of typing a URL into the address bar. One was starting Chrome up and his home page was set to Google Maps. From there he opened a new tab, from the new tab he clicked on the "welcome to Chrome" tile, then he turned to me and said "see, I can't get into Chrome, there's no Internet". Navigating to Chrome's well-hidden bookmarks control was way beyond him. Eventually I installed Pale Moon for him, where at least you can have an always-visible "bookmarks" link on the menu. The second one wasn't much different. Both were recent upgraders from XP and Internet Explorer, now running Windows 7 or 8 and really struggling to cope with the change.

    These guys really do need a "do stuff" button.

    1. boone7

      Yes some users are beyond help but if you oversimplify something that has a lot of variables I can guarantee you that you will pull all of your hair out before you are done with them. This is especially true when you dont have the luxury of SEEING what they see and knowing what they have done to get there. The 'do stuff' button won't have just one possible result, it will have many times more possible results than a series of buttons in sequence. At least you know where things are going if you know the sequence that was chosen. I understand the 'do stuff button' recommendation was meant to be facetious, but still..

  14. John Savard

    Image

    If it's Canary that "sounds the alarm in the form of a whopping big origin box", then I think the image you have - since the Chrome sample has the periods, not the slashes - is backwards. Or something.

    1. Rhyd

      Re: Image

      Indeed, there's something phishy with that image. It seems to be doing the opposite of what the article states.

  15. PlanB

    Not a Chrome invention

    Safari on the iPhone is doing this for a long time. Though I'm not sure it's an Apple invention either. Maybe Samsung?

  16. Anonymous Coward
    Anonymous Coward

    Don't. Just don't.

    Please do not add this feature and make it a trend. I would liken this to Windows defaulting to "hiding file extensions". Now your average computer user has no idea what a file extension is, which is fantastic when someone sends them a malicious executable file with a PDF icon. They think 'Oh, its a PDF, no problem there'. And bam! Cryptolocker!!

    I know everyone wants things to be simpler but its getting ridiculous. Its already bad enough that the average computer user enters URL's I give them into Google search box. You tards! Enter it into the address box!! "Whats an address box? Whats a URL?"

    Stop catering to these people, you are actually making their experience worse. My experience as well, since I am always responsible for fixing their mistakes.

  17. Old Handle

    This reminds me of the other day when I was walking my retirement age father through upgrading a program that came in a zip file (rather than a fancy self-installer). Obviously this should have been an easy task, and he's not stupid, but even with directions he struggled, because like most users he's only comfortable with the part of the computer he uses every day.

    And that's why I think this trend to "simplify" everything is so horrible. The more they hide the more helpless the users become. When I encounter a new application the first thing I do is explore all the menus and buttons. So when I need to do something later, I already know where to find the right command. Clearly not everyone has this impulse, but recent software designs seem actively hostile to that way of learning. They apparently want to make absolutely sure that users don't even accidentally discover any features they before they need them.

    1. Anonymous Coward
      Anonymous Coward

      I think that is the idea. While not intentionally in all instances... it is so that you/me/users are not the ones in "control". The other reason is to make it as "easy" as possible, to remove barriers of entry to new customers. But both give the same result.

      The real answer is, as most say, educating the user. Showing them how to use the tool, how it goes together and how to service/repair it. But that requires effort from all parties involved, and well, they want profit/easy cash so something goes out the window eventually...

  18. Jamie Jones Silver badge
    Trollface

    You'll hate El Regs' "buzzfeed-style" article headlines

    That is all.

  19. Sebastian A
    Mushroom

    On a side note...

    The second screenshot in the article, that ClearType, doesn't that scrape anyone else's eyeballs something chronic? I can't STAND seeing red/blue edges on black text and I wish they'd let those of us who can see it, disable it system-wide.

    1. Anonymous Coward
      Anonymous Coward

      Re: On a side note...

      I do agree, as each monitor/user has different effects/tolerances (or preferences). But that being said, I don't see the problem on my screen... but not sure if that's down to my screen, my eyes or my tiredness... :D

  20. Tannin

    Quite so, Boone7. I was really writing, between the lines, about being surprised about something I should not have been surprised by. Over the last decade, despite working with users at somewhere around about this woeful level of incompetence every week, I (probably like many others in similar shoes) had gradually come to accept that times have moved on and the average know-nothing user, these days, actually knows at least a little bit, knows enough to master simple basic tasks like typing in a web address or using a bookmark.

    My two hopeless users yesterday - granted, they were two particularly bad cases - showed me that a lot of what I had assumed was a gradual improvement in general understanding at the lowest end of the competence scale was, in fact, nothing of the kind. In reality, it seems, their incompetence hadn't changed much at all, it has simply been masked by the very long time they all spent using Windows XP and clicking on the same things in the same way through the various reinstalls and hardware upgrades the decade brought; clicking, it now seems, without even the fragile and shallow understanding I had ascribed to them.

    I thought, after more than two decades in the computer support caper, that I was long past over-estimating user competence. Obviously, I was wrong.

    As for Chrome and these proposed changes to URL display, I agree with you: changing the machine to dumb down the interface to the point where it becomes essentially meaningless is a daft idea. We need to stick to our guns and help users understand the basics, make things clearer without oversimplifing. The real enemy here is non-human-readable URLs. I mean that is the point of a URL - it is supposed to be more human readable than "185.32.201.17".

    1. Peter Gathercole Silver badge

      @Tannin

      I've been saying for a long time that most users really dislike change for valid reasons.

      I know that there have been layout changes, but the Windows interface introduced in Windows 95 is still recognisable in WinXP SP3, and even to a certain extent Win7. This needs to be recognised by the "change for change's sake" people. Whilst they can rationalise the changes themselves, they really should take their target audience's opinion more.

      I am finding the same in the most recent re-skinning of Firefox. I'm just waiting for my Father to ask me how to find some of the things that have moved around.

      On the subject of URLs and DNS names, it is perfectly normal to configure DNS to resolve a name into a number of IP addresses, in order to spread the load across multiple machines. The DNS server can be configured to rotate around the list of possible systems in a variety of different ways, and there were also ways to set up a dynamic DNS to allow the service state of the accessed systems to be reflected in the returned results.

      If you think something like 173.194.66.106 (one of the IP addresses that Google responds on) is a problem, try typing in http://2915189354 as a URL!

  21. Anonymous Coward
    Anonymous Coward

    Archibald

    "I get phishing emails all the time, but this one nearly got me. It was well written, it used all the same logos. When I followed the link [...]"

    So Chrome is developed by dickheads who click on anything that seems to have come from their banks.

    It's not Joe Average Randomhead doing this, it's a bloke f*ing developing f*ing Chrome. And he even admits it publically. Unbelievable.

    Jake. Maybe it time to look for new challenges. There's absolutely nothing wrong with caring for livestock.

    1. stanimir
      Holmes

      Re: Archibald

      It's more like developed by people who don't get to sleep enough. Still not much of an excuse to click&logon.

  22. Anonymous Coward
    Anonymous Coward

    We're all doomed

    As a cop in Scotland I can't begin to describe hiw many reports I deal with for internet scams. So many people really have no idea and to be fair, why should they? No-one is there to guide them and many simply arent aware of the dangers.

    Went to a call for a guy that got hit by the malware pretending to be Met police, viewing illegal material £100 etc....

    'Just take us through what you were doing before it happened.'

    ' Well.... I was just looking for some... Granny porn...'

    Proceess to type granny porn into IE URL bar and take the first return. My neighbour and I were biting our fists as he casually went through a dozen links that I wouldnt go near with a bargepole.

    What hoppe have we got?

    Also, he was about 56, so going for his own agegrouo at least.:-)

  23. RyokuMas
    Trollface

    Yeah, all those redirects caused by phishers must put extra strain of Google's capability to track us all.

  24. Anonymous Coward
    Anonymous Coward

    They really need to stop HTML email and don't highlight any URLs in emails.

    If people had to select text and copy it, then paste into a browser it would make it harder and give people thinking time to spot the mistake.

  25. bigtimehustler

    "But fellow Chrome dev Jake Archibald backed the feature and said it would have saved him from nearly losing his bank details to a phishing site."

    Errrrr....should this person really be a chrome dev? Come on, avoiding phishing sites if your technically competent should not be difficult, as a chrome dev, he should be more than most!

    1. John Sanders
      Meh

      This is purely

      Some kind of bollocksy justification

  26. david 12 Silver badge

    Only URLs I have problems with are those monsters generated by google when you click on a link.

    And then when your google connection drops out, you have to delete a mountain of gibberish to find the URL it is supposed to be indirectly pointing to, to find where you actually want to go.

    1. Anonymous Coward
      Anonymous Coward

      Oh good... It's not just me then. I hate those bastard things.

      And does that Google redirect fail about 1 in 10 times for other people too?

  27. Anonymous Coward
    Anonymous Coward

    Chrome?

    Why is anyone even discussing 'security' in the context of Google's Chrome browser: spyware specifically created to hoover up as much information about you and your web browsing habits as legally possible, in order to enrich the developer??

  28. Mark Major

    >2 subdomains deep, including ".com." or ".co.uk." or other TLDs

    = Scam warning

    Almost as simple as that, surely? Who legitimately uses nested subdomains named .co.uk.??

  29. Stevie

    Bah!

    Do they still allow people to make URLs that have a different domain at both ends of the string, so you look at the first bit and say "Aha! Chase Bank Online" but three miles down the string is the *real* URL - ChechnyanPhishscam.com?

    Because if so, getting that moronic idea out of the HTTP spec would be favorite.

    1. swissrobin

      Re: Bah!

      It's nothing to do with HTTP. It's the domain name system specification that controls this part of the URL. That system is hierarchical - so if you own theregister.co.uk then you can simply start to serve up:

      www.bankofscotland.co.uk.mumbojumbo.theregister.co.uk

      as it's underneath your registered domain.

      Earlier in the comments someone suggested the browser should intervene anytime you try to follow a link with nested TLD. I would concur this makes sense; I am slightly concerned that some of of the funkier TLDs might legitimately appear buried in legit URLs (much like Scunthorpe can match a rude word filter), but I guess you could allow the browser to be told about exceptions.

      In any case it's clearly a better solution than colour coding/masking out bits of the URL.

      P.S. it would also make sense to have some heuristics about url length - if it contains 20 dots, it's probably not something you want to follow, etc.

      P.P.S. Also agree that the browsers, if they're going to help, need to intercept dodgy URLs before they submit the request, otherwise it is quite possibly too late (malware delivered by javascript exploit on front page of scam site).

  30. Not That Andrew

    I thought the reason that you don't see passwords and wotnot in the urlbar any more is because all the web developers stupid enough to do that sort of thing had been dragged off and shot. It appears they've become UX designers instead.

  31. Vociferous

    Another reason to not use Chrome.

    And I didn't even need one.

This topic is closed for new posts.

Other stories you might like