Humans can't read URLs. How can we fix it? – HTTP 203
Humans can't read URLs. How can we fix it? – HTTP 203
In this episode, Jake makes the case that URLs are impossible for humans to interpret, especially when it comes to security. What are browsers doing today to overcome that? And, is there a better way?
Subscribe to Google Chrome Developers here → https://goo.gle/ChromeDevs
Also, if you enjoyed this, you might like the HTTP203 podcast! → https://goo.gle/2M5Fpcv
Whoa, thanks for reading the description right to the end! Why not post a comment saying you spotted the easter egg in this episode. There isn’t one of course, but it’ll confuse everyone who didn’t read the description.
Google Chrome Developers
404K subscribers
I had a witty statement about this written down somewhere, but I can’t find it anymore.
I love the idea of the URL Chang. It’s WAY EASIER to explain to my parents
I like your proposal at the end. I think you should include that as an option.
It’s Amazon, I recognize that weird `ref` part in the URL
This was hell of an interesting episode! Thank you guys, we definetely have to keep non-tech users secure. I like Jakes approach of showing the etld in the secure space of the browser bar. Good episode :thumbsup:
Cool, eTLD+1 is a great concept. I like how it puts focus on the authority or owner of that portal. The rest of the URL is just an identifier, it could be a UUID for what it’s worth. I’m surprised that so many people want to see it full.
I like the proposal. Basically, all sites get the old EV treatment, except it displays the eTLD+1 in place of the company name instead. This highlights the root of authority of every url the user visits together with the status of TLS. This allows you to simplify the display of the url while preserving the most important parts, both for mobile and for desktop.
Can’t read them, and copy/pasting them makes an ugly URL in a document or presentation.
I’m primarily a Safari user (but I find these videos interesting and enjoyable all the same).
I’ve got to say – I really like how Safari displays URLs. Hiding the full URL doesn’t bother me at all. It’s just good design; why should you always show the user a garbled string that they’re not likely to understand?
I really like your solution! I am wondering though how secure the domain list is. Can people sneak an entry in there that in the end misguides people? Or just as simple as not having a domain like GitHub on the list that is subletting subdomains. I am no security expert by any means but by turning peoples attention more strongly towards the ETLD+1 part makes that list more of an attack vector. That said, maybe it is no big deal at all. It depends on how robust the submission process for that list is and how many domains that sublet subdomains ensure that they are on that list. What do you think?
This is your daily dose of Recommendation
URL long
Very good thoughts.
What I think we need is for DNS registration where the domain, subdomain, and server name are NOT conflated. The manager of a domain has the authority to allocate subdomains but the origin needs to be reliably indicated. I would do this by registering names not as mykids.jakearchibald.github.io, jakearchibald.github.io, and github.io, which is ambiguous, but as mykids::jakearchibald.github.io, jakearchibald::github.io, and github.io. Jake then has authority over jakearchibald::github.io, allowing him to register either kids::jakearchibald.github.io (as a subdomain of jakearchibald.github.io *separate* from jakearchibald.github.io), or kids.jakearchibald::github.io (as a subdomain *within* jakearchibald.github.io), but, importantly, NOT BOTH. This follows a similar design with IP division for subnet and node.
For HTTP, I would enhance Jake’s example by using DNS records to change the user’s view in the bar to be [🔒 subdomain at subdomain at basedomain | /svgomg/] with a green lock, bold domain names, non-bold "at", and middle-gray path. Clicking in the URL field reverts to the full text URL. Examples:
🔒 git.io | /some/path
🔒 jakearchibald at git.io | /some/path
🔒 mykids at jakearchibald at git.io | /some/path
(All notwithstanding existing reserved characters and meaning WRT to the selection of the server/network separator, possible confusion with IPV6, etc.)
I would love to have a security warning for visiting the eTLD+1 for the first time. That way, even if malicious parties have an url that mimics a secure environment we would see a warning saying "you are visiting this for the first time". A simple badge, changing the color of the padlock etc would be awesome.
Honestly as a developer, I sometimes aim to distract via URLs, if it leads to sensitive info.
I try my best to hide it tho and preserve a userfriendly access, but I don’t want anybody guessing it.
I guess they listened when you said "ship it"
paul lewis? o james priest! god bay god luky!
I like seeing the URL for multiple reasons. For example, seeing the URL all the time helps me know I’m on the right site and navigating the right PART of the website. There are a lot of context clues in the URL that help me know I’m doing the right thing. Also I specifically don’t fully trust websites themselves (even when it IS really truly the site I want to be on). Removing the URL path will give the opportunity for websites to try to trick users and be even more malicious. I don’t just care about the domain being right, seeing the whole URL is incredibly useful.
IDEA: Just put a little toggle button to the left of the address bar that would toggle between ETLD+1 and full URL (rather than making it a Flag or Setting). That way I can use ETLD+1 most of the time, but quickly and easily switch to full URL if I’m doing development or something like that. Think of it as being kind of like "Comfortable, Relaxed, Compact" in Gmail. This is better than Safari’s click-to-view-full-URL, because it acts like a "setting" instead of a "click-once-to-view-once".
Bring back http:// and https:// !
This is a nice idea. I think that this or something similar could be really useful.
1) I’m evil.com, I fool people with bank.bank.evil.com
2) I’m defeated by eTLD+1 highlighting, because browsers only show evil.com
3) I register bank.evil.com as an eTLD.
4) Under eTLD+1 highlighting, users see bank.bank.evil.com
Now can you come up with a solution to fix selecting part of the url when the scheme is hidden?
The current "solution" is brutal.
I’d also be interested in seeing the same kind of highlighting the tld+1 in more places that display URLs, like the lil box that shows the url when you hover over a link, or in messaging services and email clients — a few messaging apps already show a title/preview for sent links and it’d be trivial to extend them to show the tld+1
Why haven’t you shipped it yet?
security by obscurity only works for a day. Then on day 2 evil uses it to their advantage. Hopefully on day 3 the devs notice. I use those long ass url things all the time. Change search terms without having to load a page(back button duh). Make sure I’m on the correct page when something glitchy. Read if a site is actually legit. etc etc… Making something easier for Grandma is only that. I very very much need to choose when to wear beer goggles. lol, I literally haven’t used google search in a couple months. Guess ? Oh, the url’s disappeared. I was working. Didn’t have time to fiddle or reverse engineer something as silly as that.
It’s perfect.. just make it so that it can be disabled through chrome flags.
Kudos for svgomg! Love that tool
we fix it?
All these efforts are to mask the fact that some site are served through google amp, locking you into their ecosystem. This isn’t about ergonomics.
It’s money.
I totally get it. Personally, as a developer/power-user, I couldn’t stand the elision of proto + and request URI. But it was for work related reasons. I guess I’m spoiled, but I want immediate and instant access to it, since I’m dealing with it constantly and I need to see it immediately so I know where I’m at when I’m working. When I double click, it should immediately select the word instead of requiring a third click to see/select, etc. So, I’m very happy Chrome brought the option back via a simple right-click option.
As many have said make it the default. And allow people to configure it
good idea
Just realized how URLs suck. This would be a much simpler problem if the pattern wasn’t that complicated
Why not just use some less subtle means of highlighting the ETLD+1? You can still make it highly legible. For example: you could make the rest of the text noticeably smaller. You give it a different background-color brightness, making sure the transition is immediately noticeable—perhaps a vertical zig-zag, rather than a simple straight vertical boundary.
No I’m pretty certain I can read a URL. It’s literally words.
I really like this idea
The second link is Amazon Echo (3rd Gen) Smart Speaker with Alexa – Grey.
The term for ETLD+1 is "Apex Domain".
i can read u.r.l-s. but developers can "fix" that.
URL’s makes it possible to link to any document or resource on any computer anywhere in the world.
I love the Easter egg
I really like it
I loved it, I want it now.
All-new Amazon Echo (3rd generation) | Smart speaker with Alexa, Heather Grey Fabric is the product
Guys use regex omg
It’s not only a padlock in Firefox it also shows warning wnenever you click on log-in form on such sites
pls ship it
In case you’re wondering, the power users aren’t "fine" with Safari’s url bar.
@jake @sumra
What did Chrome HQ say about the proposal?
We can fix URLs by not rendering them as text. A URL is structured data so I think we can do better than showing the toString of what is essentially an object. Early URLs were frequently file path analogs and reading out a URL made sense. Additionally, content was generally from a single site. This is no longer the case so what matters the most to users has changed. In my opinion, knowing the source of all the content on the page is vital, so my preference would be to see the host name/ETLD+1, verification that it is authentic, and easy access to see all other hosts on the page. The full path is secondary and needed mostly only for copying.