EEVblog Electronics Community Forum
General => General Technical Chat => Topic started by: MrMobodies on August 11, 2019, 06:26:02 am
-
I was out visiting someone who was complaining about some broken feature in Chrome where it started showing search history in the address bar and I was surprised to find something. It doesn't do it on mine as I prevent it from updating automatically and I found this article about it.
https://www.bleepingcomputer.com/news/google/google-chrome-hides-www-and-https-in-the-address-bar-again/ (https://www.bleepingcomputer.com/news/google/google-chrome-hides-www-and-https-in-the-address-bar-again/)
Google Chrome Hides WWW and HTTPS:// in the Address Bar Again
By Lawrence Abrams
July 31, 2019 08:04 PM
After installing Google Chrome 76, if you feel like something is missing from the address bar you would be correct. This is because Google has decided to once again to hide, or elide, the "www" subdomain and "https://" from the address.
When Chrome 69 was released in September 2018, Google decided to strip the "www" and "m" "trivial subdomains" from the URLs in the address bar. For example, when a user visited www.bleepingcomputer.com (http://www.bleepingcomputer.com), the www would be stripped and displayed as bleepingcomputer.com instead.
After a large outcry from users saying that www.bleepingcomputer.com (http://www.bleepingcomputer.com) and m.bleepingcomputer.com are not the same hostnames as www.bleepingcomputer.com (http://www.bleepingcomputer.com), Google stopped hiding these subdomains.
These subdomains are classified as "trivial" because Google feels that it is not information that most people need to concern themselves with.
Google, though, did state that on a later date they would once again hide the "www" subdomain, but would continue to the "m" subdomain.
The later date has arrived
With Chrome 76, Google has once again started to strip the "www" subdomain and "https://" identifier from URLs shown in the address bar.
In a Chrome bug post regarding this issue, product manager Emily Schechter stated that after testing for several months in the Canary, Dev, and Beta channels, they are going to start hiding "https" and "www" in the Chrome omnibox starting in version 76 on desktop and Android.
Emily Schechter
"The Chrome team values the simplicity, usability, and security of UI surfaces. To make URLs easier to read and understand, and to remove distractions from the registrable domain, we will hide URL components that are irrelevant to most Chrome users. We plan to hide “https” scheme and special-case subdomain “www” in Chrome omnibox on desktop and Android in M76."
Emily Schechter
(https://www.bleepstatic.com/images/news/web-browsers/chrome/chrome-76/stable/elide-www/google-comment-str.jpg)
Users are not happy with this change
After the previous backlash, it is not surprising to find that many users responded that they are unhappy [1, 2, 3] with this change.
Schechter stated you can install Google's Chrome Suspicious Site Reporter extension and Chrome will stop eliding www and https.
This extension allows users to report malicious, scam, and phishing sites to be included in Google SafeBrowsing.
A tweet by Microsoft Edge developer Eric Lawrence shows the code in Chromium that disables the eliding feature when the extension is installed.
(https://pbs.twimg.com/media/EA1MBrZXYAAwsVd?format=png&name=small)
I guess when they worked with other browser representatives to set these so called standards to obscure information to the user that the user may want to see it may no longer becomes a choice on their platforms.
I don't want the information of the URL's reduced and messed with because someone thinks it will be easier for me.
Firefox did this some years ago and where was a parameter I use to set to disable the URL trimming so it is nothing new.
browser.urlbar.trimURLs;false
https://support.mozilla.org/en-US/questions/949113 (https://support.mozilla.org/en-US/questions/949113)
ldillon
2/1/13, 3:30 PM
How do I stop firefox for adding http:// when I copy a web address from the URL bar?
When I copy text from the URL bar in firefox (e.g., mozilla.org) and past it into something, Firefox adds http:// (e.g., http://mozilla.org (http://mozilla.org)). That's not the text I selected. This was never an issue before "they" decided to remove the http:// . I can't find a way to disable this and it's hard to search for help for "http://"
The most annoying thing in a program is a clever "feature" that can't be disabled.
I was showing them Pale Moon to try and they liked it.
There is that "suspicious site reporter" extension which unhides it and the flags but how long will they be in there for before they remove them in the future?
What to do you think?
-
Hopefully some scammers find a way to exploit this and goolge will reverse this BS decision. Or at least make a setting for people that want to see this information.
-
Although I just got a Chromium update "Version 76.0.3809.87 (Official Build) Built on Ubuntu , running on Ubuntu 16.04 (64-bit)" and I see full URLs. Not sure what is going on. May be Chromium is more sane, in which case this may be a workaround.
-
Go to chrome://flags and search for:
---------------------------------------------------------------
Omnibox UI Hide Steady-State URL Scheme
In the omnibox, hide the scheme from steady state displayed URLs. It is restored during editing. – Mac, Windows, Linux, Chrome OS, Android
#omnibox-ui-hide-steady-state-url-scheme
........................................................................................
Omnibox UI Hide Steady-State URL Trivial Subdomains
In the omnibox, hide trivial subdomains from steady state displayed URLs. Hidden portions are restored during editing. – Mac, Windows, Linux, Chrome OS, Android
#omnibox-ui-hide-steady-state-url-trivial-subdomains
.......................................................................................
Omnibox UI Hide Steady-State URL Path, Query, and Ref
In the omnibox, hide the path, query and ref from steady state displayed URLs. Hidden portions are restored during editing. – Mac, Windows, Linux, Chrome OS, Android
#omnibox-ui-hide-steady-state-url-path-query-and-ref
---------------------------------------------------------------
and change them from default to disabled...
-
Thanks, but now the full url disappears after a second and shortens to the main adres. :-//
i.e.:
https://www.eevblog.com/forum/chat/google-chrome-hiding-information/?action=post;last_msg=2607759 (https://www.eevblog.com/forum/chat/google-chrome-hiding-information/?action=post;last_msg=2607759)
to
https://www.eevblog.com (https://www.eevblog.com)
-
Why people use Google software of any kind is something I'll never understand.
-
Hopefully some scammers find a way to exploit this and goolge will reverse this BS decision.
This is America, take matters in your hands if you care >:D >:D >:D
[attach=1]
-
Thanks, but now the full url disappears after a second and shortens to the main adres. :-//
i.e.:
https://www.eevblog.com/forum/chat/google-chrome-hiding-information/?action=post;last_msg=2607759 (https://www.eevblog.com/forum/chat/google-chrome-hiding-information/?action=post;last_msg=2607759)
to
https://www.eevblog.com (https://www.eevblog.com)
Sorry to hear that but it doesn't to me...
What it does now is it doesn't show http:// for non https pages.. For everything else it shows full URL. Tested on 2 separate PC's.
-
Hiding the scheme in its textual form makes sense. You may not like it, because your brain is accustomed to seeing it, and brains do not like changes and react to them with irritation. But it’s not like it has drawbacks other than that. Not only the information is not lost — there is a corresponding icon — but nowadays HTTPS becomes ubiquitous. I expect that soon you will be able to blindly assume that the URL uses the https scheme, and if it isn’t… you will be presented with a full-window warning about that.
If that would be a piece of software in which you routinely use URLs other than using the http/https scheme, I would agree that it is awkward. But no, a web browser is used nearly exclusively with http and https, with only extreme minority of users seeing other schemes like ftp in their address bar.
As for hiding well known subdomains, this sucks indeed. But I do not see how it could be exploited against website/user security. If the attacker can control DNS records, your security in that regard is already compromised(1) — it doesn’t really matter if you can see the www/m subdomain. And it matters even less for an average Joe, who don’t even know what they’re looking at.
____
(1) Unless HSTS preload is used, the attacker has no access to your PEMs and the browser supports HSTS preload.
-
Thanks, but now the full url disappears after a second and shortens to the main adres. :-//
i.e.:
https://www.eevblog.com/forum/chat/google-chrome-hiding-information/?action=post;last_msg=2607759 (https://www.eevblog.com/forum/chat/google-chrome-hiding-information/?action=post;last_msg=2607759)
to
https://www.eevblog.com (https://www.eevblog.com)
Sorry to hear that but it doesn't to me...
What it does now is it doesn't show http:// for non https pages.. For everything else it shows full URL. Tested on 2 separate PC's.
Whooops, operator error.
I've missed: Omnibox UI Hide Steady-State URL Path, Query, and Ref
Thanks again
-
Why people use Google software of any kind is something I'll never understand.
Because firefox copies their behavior in the next release anyway. I used FF as long as I could, but then they broke all the good extensions, and became virtually indistinguishable from chrome.
-
Yeah, I dropped Firefox years ago, when they decided they knew better than I did how my browser should look. I don't think it'll ever happen, but if I was ever forced to choose between Google and Firefox, I'd probably pay the fee and switch to Apple.
-
I believe it is along the path google wants to take "the web"...
First, they make the address bar the same as the search input field,
then they start hiding the "ubiquitous", (http:xxxx may not be the same site as https:xxxx)
then they start hiding more, and more...
until you have no way of knowing where you truly are (site-wise) and no way of getting to where you truly want.
Right now, your visibility is controlled by their search engine. Once users accepts all that hiding, your very existence on the web is controlled by Google.
When you got used to typing "Electronic Forum" in the "URL+Search" field and select from the result list to get here, you have no idea whether you got to EEVBLOG, or where ever they stay say you should go. So, someone can spend eons and tons of money developing an identity on the web, but your brand (address) is under their control. If they so choose to highlight someone else (say an advertiser or someone more inline with Google's world-view), 99% of the Andriod phone (and Chome) population won't be able to get to you. The only visitor you can expect are those those who would explicitly type in your full "http:.....". In time, they can even get rid of accepting direct URL input.
In my view, supporting Google = supporting evil. The direction we are going is NOT good.
Edit: typo correction "stay you should go" corrected to "say you should go"
-
;D
(https://terrifictop10.files.wordpress.com/2013/10/google-chrome.jpg)
But seriously, people should be given the ability to use a "fair" search engine.
-
It has been doing that for months (years?) Doesn't seem like any big deal to me because you can click on the address box (as if you were going to Ctl-C copy the URL) and it displays the full URL. :-//
I had to switch to Chrome back when IE was king of the pile because IE stopped displaying actual error messages and obscured everything to generic "Error 500". Making it useless for development and debugging.
-
Keep the sheeple uninformed, complacent, and easily persuaded, that's their way to extract more money from them. Remember, they have even fought against the use of adblocking or content-modifying software.
Given that she has basically let her email become public, let's hope she gets a LOT of angry emails from users...
-
Yeah, I dropped Firefox years ago, when they decided they knew better than I did how my browser should look. I don't think it'll ever happen, but if I was ever forced to choose between Google and Firefox, I'd probably pay the fee and switch to Apple.
Well. I still use Firefox even with the increasingly annoying stuff. I still trust it infinitely more than any Google product, at least privacy-wise.
Haven't tested Chromium in ages. It's the open source version of Chrome right? I suspect the official Chrome may contain additional "features" not present in Chromium. Am I right?
-
Why people use Google software of any kind is something I'll never understand.
More or less for the very same reason they use Firefox or IE: because they do not have to immedietly pay with money for using it and because it works for nearly whole population of this planet. Also because Chrome is shipped with 3 out of 4 smartphones, so they do not make any choice in the first place.
I used FF as long as I could, but then they broke all the good extensions, and became virtually indistinguishable from chrome.
That statement, given the tone of the discussion and the context, sounds as if is is an accusation towards Mozilla. An unjustified one. While the transition could’ve been done better — with that I agree and I was pissed off myself — it’s not as simple as “they broke stuff”.
First of all, the code had to be redesigned: the old, XUL-based ecosystem was total mess on multiple levels. The new API hasn’t copied Chrome: it is a standardized API shared across browsers to make life of add-on developers easier. The change has been announced long before Mozilla finally removed the support for XUL-based extensions. Add-on authors had more than enough time to port their software. Many of them hasn’t and the reason for that brings us to yet another point. Majority of Firefox add-ons were not maintained anymore. Software, especially programs having any contact with outside world, are not things you can write once and forget about them for years — they need constant care. I was using a lot of extensions myself and slowly, through the years, I had to remove them one after one as they were stopping working. In a few years most of what you had would not be useful anyway — with or without Mozilla’s help.
Then, finally, there are those few extensions that indeed fell victims to the change: they were maintained, but there was literally no way to port them (Classic Theme Restorer as an example). But those were a minority. While I hate losing some of them, I am far from thinking about that change in terms of Mozilla breaking anything either intentionally or from negligence.
I'd probably pay the fee and switch to Apple.
Do you think they care more about your opinion? ;)
First, they make the address bar the same as the search input field,
Which is… what kind of a problem? Searching for URLs requires additional quotation marks; but other this rare situation: what else is wrong with that solution?
then they start hiding the "ubiquitous", (http:xxxx may not be the same site as https:xxxx)
Yes, the HTTP one is the one you shouldn’t be using. ;)
In any case: the information is still displayed (just not as the scheme in the URL).
until you have no way of knowing where you truly are (site-wise)
and no way of getting to where you truly want.
Am I missing something (I do not regularly use Chrome)? Since when you can’t type a URL into the address bar and aren’t taken there? Are they also hiding resource name now?
Right now, your visibility is controlled by their search engine. Once users accepts all that hiding, your very existence on the web is controlled by Google. (…)
As it is, if you use Google directly. But the last time I was checking that, one could’ve set any search engine. Their help documents tell this is still true.
Haven't tested Chromium in ages. It's the open source version of Chrome right? I suspect the official Chrome may contain additional "features" not present in Chromium. Am I right?
Chrome is rebranded Chromium (that, not the other way around) with proprietary video decoders added. Chrome also has some changes to configuration: you may install add-ons only from their store and telemetry is enabled. As for privacy: you’re asking about the largest spyware producer in world’s history. While Chrome is more likely to have various tracking enabled (and you may not opt-out from it), I’ve already seen reports from friends, who have seen Chromium calling home during build preparation stage. There is no way you could trust it in that matter.
-
...
...
First, they make the address bar the same as the search input field,
Which is… what kind of a problem? Searching for URLs requires additional quotation marks; but other this rare situation: what else is wrong with that solution?
The problem is the conflating an instruction from the user with a request from the user so as (in my opinion) for Google to achieve a very selfish goal.
You (the browser) are interpreting my instruction "to go to a specific place" not as an order to follow, but as a "request for suggestion" for where you (the browser) think I should go.
(I am watching the movie "A few good men", so I will borrow a few good words from it to help me express myself here...)
When I give an order (entered URL address), I expect it to be followed - there is no choice in the matter for the browser, I expect it to say "Aye Sir" and go where I order it to go - it has no choice, the URL is exact. When I want advice (do a search), then I will ask. I expect it to say "Yes Sir" and then give me a list with entries it chooses.
That is one of the reasons why I rejected Chrome - it thinks it is superior and it knows better where I should go. No thank you! I know where I want to go and the last thing I need is a suggestion from Google.
In my opinion, the whole point Google conflates the two is to diminish the important of a domain name (URL/brand name). You go everywhere by searching, you tell them what you seek and they tell you where they think you should go for whatever you are seeking. When every one conflates searches of text meaning with domain name matching, than domain name means nothing. You (the domain owner) are just the provider of a few pages in the world of Google.
Your domain name (URL/Brand) which you might have spend huge $ and resource to build is meaningless and useless - you are just what their search engine say you are.
...
...
until you have no way of knowing where you truly are (site-wise)
and no way of getting to where you truly want.
Am I missing something (I do not regularly use Chrome)? Since when you can’t type a URL into the address bar and aren’t taken there? Are they also hiding resource name now?
...
...
We have a major disconnect here. Yeah, you are missing something...
What you missed is in my reply that you quoted from, but not in the part you quoted. It was the first sentence of that reply.
That reply started with the line: I believe it is along the path google wants to take "the web"... (Bold added)
I did not write "google took", and not "google has taken". I wrote "google wants to take"... Thus, I was expecting the reader to infer that I am predicting/guessing future Google/Chrome behavior: First they do this, then they do that, then they do those...
-
https://www.cnet.com/news/google-chrome-team-tries-to-fix-url-problems-better-web-addresses/ (https://www.cnet.com/news/google-chrome-team-tries-to-fix-url-problems-better-web-addresses/)
STEPHEN SHANKLAND
SEPTEMBER 4, 2018 3:22 PM PDT
Chrome team wants better web addresses, not URL mumbo-jumbo
Google's newest web browser already starts trimming away a bit of detail to make it easier for newbies to understand where they are on the web.
Google wants to fix one of the web's oldest and deepest technologies: the uniform resource locator, or URL, used to give every website a unique address.
Not broken in the first place.
"People have a really hard time understanding URLs," Adrienne Porter Felt, an engineering manager on Chrome's security team, said in a Wired interview published in conjunction with Chrome's 10th anniversary on Tuesday. "We want to move toward a place where web identity is understandable by everyone -- they know who they're talking to when they're using a website and they can reason about whether they can trust them ... It's important we do something, because everyone is unsatisfied by URLs. They kind of suck."
Everyone? Followed by that outcry in late 2018? that they had to back track.
It isn't surprising Google wants to fix the problems of URL addressing. But changing something built this deeply into the web is hard. It could be that URLs are more like what Winston Churchill said about democracy: the worst option out there, except for all the others.
Changing it would be difficult so they just want to hide the information to the user as a standard.
And it isn't clear exactly what the team has in mind, but Porter Felt tweeted on Tuesday, "People don't look at them when they ought to. And when they do, they don't know which part to look at. We are exploring ways of drawing attention to the right identity indicators at the right times."
Assumptions made about the user. What about them. Did they have the same assumptions placed on them as a user.
URLs are a security problem since carefully crafted but bogus URLs can fool people into thinking they're visiting a legitimate website where they enter passwords or other sensitive information
Trying to make it easier by restricting/hiding information. Rubbish... I have seen the fake Godaddy login Portal months ago. No warnings about that. I reported the ones I have found which seems to be on sites hosted by Godaddy I remember on frescoprints.com.
URLs have lots of elements. Among them: the HTTPS label that indicates a private, tamper-proof connection between your browser and a website; broad and detailed address information for the specific page; and an infinite number of possible parameters used for everything from passing a search query to Google to tracking your presence as you move around the web. URLs can be far longer than even a wide-screen browser can show, and stuffed with alphanumeric gobbledygook that even web browsers find difficult to understand.
Of course it may look gobbledygook for those who haven't seen it before.
Nothing new about the presence of long url's.
Google knows change will be controversial. "That's one of the challenges with a really old and open and sprawling platform," Parisa Tabriz, a Chrome engineering manager, told Wired.
Evidently the team isn't ready to overhaul the addressing just yet. On Twitter, Adrienne Porter Felt encouraged academics with ideas on URLs to get in touch. And, she added, "our first step is months of user research."
However, Google is tweaking traditional URLs with a redesigned Chrome that Google released Tuesday, version 69 of the web browser.
In the Chrome address box's "resting state" -- in other words, when you aren't typing in it or otherwise interacting -- Google now hides the HTTP or HTTPS prefix and strips out website domain qualifiers like the initial "m." that indicates a website geared for mobile devices. That's because long web addresses can be confusing, especially to people new to the web.
Because it's long it MUST be confusing... bullshit
I was "new" like everyone else at one time and I didn't have a problem with that it helped me. A newbie may never know and as they deem it is so trivial for them. What about the people making this policy was it ever trivial for them as users and in their line of work like that Adrienne Porter, Parisa Tabriz and Emily Schechter?
I want "better"detailed information like before no less. That is what helps me understand and protect myself over the years. I wouldn't trust a browser alone to show me a magical symbol not when it can be compromised. A bit like what happened with a customer's Chromebook where the Chrome browser got altered and taken over/altered from dodgy extensions that reinstall on their own and a bank's website domain wouldn't load past a point but no warning about that until I reinstalled it. The bank put hold on the online account and the asked them to change the password.
Not all URL's are long and they making it out be so difficult to even understand it that you shouldn't see it to be able to relate it.
On this forum: Protocol: "httpS://" Sub/Domain: "www.eevblog.com" path/anchor: "forum/chat/google-chrome-hiding-information/" parameter: "?action=post;msg=2611242"
I am getting less satisfied with browsers that are going to be set interfere by these so called "academics" and in this case with the viewing of the address/location bar and tell me BUGGER ALL that I have click a couple of times or install extensions to see it and flags that may not worl or be taken away. In England in the past they can spoof numbers so you don't get to see the real number which undermines my confidence in that system.
Edit:
Looking at their Linkedin profiles:
Emily Schechter
Product Manager, Chrome Security
April 2016 – Present 3 years 5 months
San Francisco Bay Area
It should be easy to use the web safely. I work on Chrome security, specifically:
- Chrome usable security, helping Chrome users and developers make safe decisions.[/b]
- Removing roadblocks for HTTPS adoption, to make the web more secure for everyone.
- Chrome Navigation ("omnibox" search + address bar) UI and suggest functionality across desktop and mobile platforms
Helping? More like restricting.
Adrienne Porter Felt
Senior Engineering Manager at Google
Mountain View, California
Computer Software
I lead the Chrome Personalization & Metrics teams. The Personalization teams make Chrome reflect the identity, preferences, and personality of the user. Example features are autofill, omnibox suggestions, the new tab page, and translate. The Chrome Metrics team is responsible for experimentation, data processing, and data science.
Senior Staff Software Engineer
September 2013 – October 2017 4 years 2 months
Tech lead and manager of the Chrome usable security team. We make the green locks in your browser. I take a research-driven approach to solving hard usable security problems.
Research Scientist
September 2012 – September 2013 1 year 1 month
Mountain View, CA
As a member of the security research team, I worked on novel ways to detect extension malware. In my 20% time I worked on improving Chrome security warnings.
Despite the outry and they state about the "personalty of the user".
Research-driven from academics?
Parisa Tabriz
Mountain View, California
Senior Engineering Manager
May 2019 – Present 4 months
I manage the Chrome Data Science and Next Gen User teams.
Browser Boss (Senior Engineering Director)
Google
September 2016 – Present 3 years
Responsible for the Chrome browser we ship on Windows, Mac, Linux, Chrome OS, Android, iOS, plus lots of features that make Chrome useful across desktop and mobile (e.g. sync, autofill, password management, and more). I still do all that security and privacy stuff too.
I also manage Project Zero, an offensive security research team that aims to make 0-day hard.
Consultant
United States Digital Service
November 2014 – November 2016 2 years 1 month
Washington D.C. Metro Area
November 2014: Advised the Executive Office of the President on industry best practices to enhance network and software security. Confirmed that the West Wing is much smaller in real life than it looks like on TV.
March 2015: Alongside members of the Defense Digital Service, helped assess status of the OCX project, dubbed, "the most troubled program," from the US Air Force (http://breakingdefense.com/2016/02/most-troubled-program-in-air-force-raytheons-ocx/ (http://breakingdefense.com/2016/02/most-troubled-program-in-air-force-raytheons-ocx/)).
Ongoing consulting.
Google
9 years 8 months
Security Princess (Chrome Security Engineering Manager)
February 2013 – September 2016 3 years 8 months
I manage the engineering teams and efforts that make Chrome secure and stable and generally try to make the Internet safer.
Security Princess (Information Security Engineering Manager)
September 2011 – February 2013 1 year 6 months
Managed Google's information security engineering (ISE) team. The ISE team helps keep Google users safe by performing project design and code reviews, fixing bugs, building proactive security technology, educating developers, and doing cool research to make the Internet safer.
They all seem to work in California and do the similar things at Google such as autofill, two of them malware detection and security.
"Security in the user not seeing the full URL.
How would they manage if someone above them came along and decided the things they see were trivial and insisted that they shouldn't see it as it will be harder and difficult for them to understand.
Isn't it called arrogance?
-
Sorry for length of the other post and double post but look what I found:
https://www.peerlyst.com/posts/meet-the-awesome-department-of-chromeland-security-team-of-4-girl-hackers-securing-our-internet-newswatcher (https://www.peerlyst.com/posts/meet-the-awesome-department-of-chromeland-security-team-of-4-girl-hackers-securing-our-internet-newswatcher)
ExploreSecurity PostsMeet the awesome "Department of Chromeland Security" team of 4 girl hackers securing OUR Internet
NewsWatcher
Nov 4, 2016
Meet the awesome "Department of Chromeland Security" team of 4 girl hackers securing OUR Internet
Here's Google secret weapon, Parisa Tabriz, the team lead.
For a picture of the whole team, which is made up of Emily Schechter, Adrienne Porter Felt, and Emily Stark as well as Parisa herself, check the top of this wired article. Disappointing that they aren't wearing the hoodies mentioned in the article...
This hacker team has ensured that after new year's eve, the warning in Google Chrome will change so that it warns when you visit websites that allow sign-in over HTTP or allow you to enter credit cards. This will set a new gold standard for browsers. This will be the new gold standard for all to live up to. And they did it. They will even, over time, improve on this adding more and more security checks and safe guards to Chrome.
The Wired article brings up a scary discrepancy/difference (which?) between the mobile browsing experience and the desktop browsing experience. When using mobile, the browser providers & websites have a chance to get permissions to access your location data and offline data, data that they would normally never be able to access via normal browsing. IT SEEMS from the Wired article that Google wans to change this discrepancy. Digging deeper into my laptop with every page I visit. I find this uncomfortable, and would love to hear what Parisa and her team of Chromeland security hackers think about this. Alas, I doubt we will ever get a public statement about it.
They all work together and another one: Emily Stark
Linkedin:
Emily Stark
4 years 8 months
Senior software engineer, tech lead
March 2017 – Present 2 years 6 months
Mountain View, CA
I lead a team that is responsible for many of Chrome's user-facing security and privacy features. We're currently focused on HTTPS: encouraging adoption and tackling deployment problems across the web. We also provide security consulting and reviews for teams across Chrome.
Software Engineer
January 2015 – March 2017 2 years 3 months
San Francisco, CA
Senior software engineer, tech lead at Google
That explains why they do similar things.
-
What some people write here made me question my memory, so I have even installed Chromium to see if anything has changed since the last week, when I last seen Chrome. Nope, my memory is right. Nothing has changed. Are you using nightly/snapshot version or something?
The problem is the conflating an instruction from the user with a request from the user so as (in my opinion) for Google to achieve a very selfish goal.
You (the browser) are interpreting my instruction "to go to a specific place" not as an order to follow, but as a "request for suggestion" for where you (the browser) think I should go.
Except that it is not conflating anything. You do not need to have separate input boxes to state your intent. If you type an URL or something address-looking, it will be treated as one. Exactly as it would be if you would type it in the address box. Otherwise it would be an error. If you type something else, it will be a search term — almost exactly as with the search box.(1) You are describing a problem, that doesn’t exist. It may be against your habits, but that doesn’t make it wrong. E.g. I myself have 5 different functions combined in a single input field in Firefox (address bar, standard search box, keyword-trggered search engines, bookmarks search and — since my default search engine is DDG — all the bangs). A lot of space saved.
I do not know what do you mean by “selfish goal”. Especially since Google wasn’t even among browser vendors when this feature has been first developed and deployed. What doesn’t it even have to do with that company?
In my opinion, the whole point Google conflates the two is to diminish the important of a domain name (URL/brand name). You go everywhere by searching, you tell them what you seek and they tell you where they think you should go for whatever you are seeking. When every one conflates searches of text meaning with domain name matching, than domain name means nothing. You (the domain owner) are just the provider of a few pages in the world of Google.
Your domain name (URL/Brand) which you might have spend huge $ and resource to build is meaningless and useless - you are just what their search engine say you are.
Exploring motivation of someone else isn’t an easy activity, because there are high chances we’re just reflecting our own expectations and fears in such theories and not basing it on all available observations. Do you realize, that what you are describing is not happening? If you enter a URL into the address/search box, you are being taken directly and exactly to where you requested the browser to be taken to. I have just double checked that a moment ago. I have even tried a domain alone. Perhaps I do not see something; perhaps there is some URL that is not treated like one — all it takes to convince me is provide that URL.
However, what you have described is in part true. Not in Google trying to make world look like that, but in reality already being that — independent of Google actions. Most users do searches instead of entering addresses. Even more, typically they just enter the first portion of the name, because they do not know the FQDN. This is why for important websites users are encouraged to use bookmarks. Otherwise they are likely to either enter a wrong address, or use a search engine and face a phishing attack through results manipulation or ads. We, the people who actually understand URLs and remember proper addresses, are a minority. An exception.
What you missed is in my reply that you quoted from, but not in the part you quoted. It was the first sentence of that reply.
That reply started with the line: I believe it is along the path google wants to take "the web"... (Bold added)
No, that part I have intentionally ignored, as I wanted to discuss facts. I assumed that the rest of the statement is about actual actions and not what they could potentially do.
(…) Google wants to fix one of the web's oldest and deepest technologies: the uniform resource locator, or URL, used to give every website a unique address.
Not broken in the first place.
Unfortunately: broken. Do not assume that just because FOR US those are understandable and WE can remember them, URLs are natural and useful for majority. No, they aren’t and users generally fail miserably in using them. See my anwer to Rick Law above — the fragment after the second quotation — for details.
Changing it would be difficult so they just want to hide the information to the user as a standard.
But the information is still visible, just in a more readable form. (except for the “common subdomains” issue, which I have already mentioned earlier)
Assumptions made about the user. What about them. Did they have the same assumptions placed on them as a user.
Perhaps you are making assumptions about majority, based on your minoritian view of the situation? Look around you, see how people actually use web. If you do not believe your own eyes or somehow have contact only with the minority, just see where money go. Surprise, surprise… scammers use search ads, similar domain names and typosquatting and they are successfull, because people do not really do what you believe they do. You want ignore scammers, because they may be just taking opportunistic chances? So, umm… you see, Google has that as an ipmortant part of their business model. But possibly you are right and Google is bankrupting. Same goes for other search engines.
Trying to make it easier by restricting/hiding information. Rubbish... I have seen the fake Godaddy login Portal months ago. No warnings about that. I reported the ones I have found which seems to be on sites hosted by Godaddy I remember on frescoprints.com.
The hidden information would not affect that case in any way. So what’s the point?
Because it's long it MUST be confusing... bullshit
Again, you represent minoritian view of a technical person, who has taken effort in understanding how things work. For a typical person comprehension ends around the first dot in the domain name (unless it is the ‘www” prefix: then the second dot). With web being more and more used on smartphones, the actual visibility of the URL ends not much later.
I want "better"detailed information like before no less. That is what helps me understand and protect myself over the years. I wouldn't trust a browser alone to show me a magical symbol not when it can be compromised.
If that symbol can be compromised, what is displayed in the address bar can also be changed. However, the padlock symbol is not providing you with any information (neither is presence of “s” in the scheme). For that you need to verify certificate, by checking if you’re using the right domain… which is exactly what browser vendors are trying to make easy. Perhaps in the end we’ll finally have only CN displayed, instead of useless(2) for most people URL.
I am getting less satisfied with browsers that are going to be set interfere by these so called "academics" (…)
Except that article doesn’t speak about people of academia. They are only petitioned to search for better solutions.
Looking at their Linkedin profiles:
I have no slightest idea what’s the point of that, so I am simply ignoring it.
____
(1) With the exception of the aforementioned using an address a search keyword, but for that you just need to just quote it… which nearly surely you want to do nonetheless to limit fuzzy matching.
(2) It is useful for debugging, but that’s all. And for that purpose it may be displayed upon request.
-
Unfortunately: broken. Do not assume that just because FOR US those are understandable and WE can remember them, URLs are natural and useful for majority. No, they aren’t and users generally fail miserably in using them. See my anwer to Rick Law above — the fragment after the second quotation — for details.
As a user that is how I relate things which I'd find difficult myself if they were hidden like that and discover it later.
I don't often understand things that well when what they deem as "mumbo jumbo" is hidden for the purposes of making it easier but as you say I'm a minority.
But the information is still visible, just in a more readable form. (except for the “common subdomains” issue, which I have already mentioned earlier)
I don't mind it secure/insecure and able to check on the side but I don't want it "simplified" for for when I copy and paste url's.
Perhaps you are making assumptions about majority, based on your minoritian view of the situation? Look around you, see how people actually use web. If you do not believe your own eyes or somehow have contact only with the minority, just see where money go. Surprise, surprise… scammers use search ads, similar domain names and typosquattingand they are successfull , because people do not really do what you believe they do. You want ignore scammers, because they may be just taking opportunistic chances? So, umm… you see, Google has that as an ipmortant part of their business model. But possibly you are right and Google is bankrupting. Same goes for other search engines.
Well over the years I have had lots of customers come to my house for that sort of thing, I spent all night removing malware manually and I try to educate them so they don't fall for it that easily again. I don't try to make it easier by REDUCING/RESTRICTING information. I set it all up so they can see what they are doing and most of they come back for other things. On Windows they hide extensions for known file types by default and no one can tell that easy when a malware program is made to look like a word document. Better for the customer to learn and tell the difference and start learning.
One issue I came across is, they search for "print drivers" for a printer and they accidentally click on an advert ontop of the page, on Google or Bing that looks like a search result and leads them to some "driver update/manager package" and other things start installing. I don't see that happening as often now.
The hidden information would not affect that case in any way. So what’s the point?
I meant about no warning about the site certificates (in the fake login portal) and I wonder why they were targeting sites hosted on Godaddy.
Again, you represent minoritian view of a technical person, who has taken effort in understanding how things work.[/b][/b] For a typical person comprehension ends around the first dot in the domain name (unless it is the ‘www” prefix: then the second dot). With web being more and more used on smartphones, the actual visibility of the URL ends not much later.
Yes I suppose I am small part in a minority. In that case with smart phones and tablets (with touch input) might not always be easy to get about the url.
If that symbol can be compromised, what is displayed in the address bar can also be changed. However, the padlock symbol is not providing you with any information (neither is presence of “s” in the scheme). For that you need to verify certificate, by checking if you’re using the right domain… which is exactly what browser vendors are trying to make easy. Perhaps in the end we’ll finally have only CN displayed, instead of useless(2) for most people URL.
I have noticed and that is handy alongside it where I can check those things.
Except that article doesn’t speak about people of academia. They are only petitioned to search for better solutions. I have no slightest idea what’s the point of that, so I am simply ignoring it.
They seem to be behind the change and they know each other despite all the backlash.
The other things like the viewing of certificate stuff near the url is a positive but I don't my view of the URL messed with in terms of "simplifying it" and not without an option to leave it alone.
-
It happened again! :palm:
I guess it is no longer in experimental stage as it no longer can be disabled as in the instructions below.
Giving up on computers altogether soon. |O
Go to chrome://flags and search for:
---------------------------------------------------------------
Omnibox UI Hide Steady-State URL Scheme
In the omnibox, hide the scheme from steady state displayed URLs. It is restored during editing. – Mac, Windows, Linux, Chrome OS, Android
#omnibox-ui-hide-steady-state-url-scheme
........................................................................................
Omnibox UI Hide Steady-State URL Trivial Subdomains
In the omnibox, hide trivial subdomains from steady state displayed URLs. Hidden portions are restored during editing. – Mac, Windows, Linux, Chrome OS, Android
#omnibox-ui-hide-steady-state-url-trivial-subdomains
.......................................................................................
Omnibox UI Hide Steady-State URL Path, Query, and Ref
In the omnibox, hide the path, query and ref from steady state displayed URLs. Hidden portions are restored during editing. – Mac, Windows, Linux, Chrome OS, Android
#omnibox-ui-hide-steady-state-url-path-query-and-ref
---------------------------------------------------------------
and change them from default to disabled...
-
You can now install google's Suspicious Site Reporter extension and it will bring back https.
But yeah, firefox is looking more and more attractive with chrome's stupidity.
-
Just don't use Chrome. Why would you willingly use a browser specifically designed to map and log your online behaviour?
Chrome handles over 60 percent of web traffic. This is unfortunate because Google uses Chrome as a window to peer into every action you take online. Unless you modify your Google privacy settings, Chrome records every site you visit so Google can serve you targeted ads.
Even worse, Chrome does very little to block other advertisers and trackers from monitoring you with cookies or device fingerprinting. A Washington Post article reported Chrome gathers roughly 11,000 trackers in an average week.
https://protonmail.com/blog/best-browser-for-privacy/
It gets even worse. Google catches and logs your username and password every time you sign into a website. On any site, not just Google's. They do claim to irreversibly hash this, but at this point you lose control entirely. They also log the websites you visit to catch malicious sites. Nowhere is mentioned they won't use this data elsewhere.
When you sign in to a website, Chrome will send a hashed copy of your username and password to Google encrypted with a secret key only known to Chrome.
https://security.googleblog.com/2019/12/better-password-protections-in-chrome.html
-
There's Chromium, Chrome without the Google stuff.
https://chromium.woolyss.com/
-
Chromium only removes tracking, but not the stupid "design" changes, like hiding https from the URLs.
-
When you sign in to a website, Chrome will send a hashed copy of your username and password to Google encrypted with a secret key only known to Chrome. No one, including Google, is able to derive your username or password from this encrypted copy.
There is no such thing as a secret key known only to a piece of freeware deployed in billion copies worldwide |O
I presume they just hash it and "encrypted" it the way some PR drone described it because nobody knows what's hashing. Or maybe not? Of course tinfoil hatters will interpret it their own way and Google will cry about being falsely accused ::)
Clearly the times of Google employing brain tasers in job interviews have passed long ago ;)
-
The "security" argument is such bullshit. Yet the sheeple swallow it without thinking... :palm:
"Let us do everything and take over your life for you. You don't want to hurt yourself, right?" |O
I've never used Chrome and never will, but Google's search results are also screwing around with the URLs they display now, fortunately I have a filtering proxy rule to rewrite them back to how they're supposed to be (it's still not perfect but I haven't had the time to fix it fully... hopefully I will before they decide to make it even worse!)
-
There is no such thing as a secret key known only to a piece of freeware deployed in billion copies worldwide |O
I am far from being amicable towards Goofle, but this is technically incorrect. Yes, there is such a thing: if the key is generated by each instance of the said software separately. Which is the case here — the algorithm generates a key each time it is invoked.
-
So how is the Mothership supposed to know what hash you are asking for if it's encrypted with your throwaway key?
OK, I clicked the link again and scrolled all the way down. Seems you are right, though I still don't get all of it.
At any rate, they send just enough unencrypted identifying information to be able to narrow your username down to 1/16777216 of all usernames, which they say is about 250. And they send you a list of all those 250 hashes but everything is encrypted back and forth with multiple keys so that presumably you are somehow prevented from using this service to scrap all hashes from Google's database unless you already know each exact hash you want to query.
At any rate, you send an unencrypted 3 byte hash to Google. And that's good enough to narrow you down to about only 250 usernames known to them.
And they still could have said "a unique one-time key generated by Chrome" instead of "known only to Chrome". Notice that I wasn't even rating about the (in)security of this scheme but about the PR disaster that this description is.
And since that 3-byte hash algorithm has to be public, I wonder what would happen if we triggered bucket collisions by creating specially crafted account names somewhere and leaking the passwords to the internet ;D
It seems that while there are 16777216 buckets, at the very least you should be able to severely load a particular chosen one if you desire it for whatever ends.
-
I am amazed at the number of conspiracy theorists on an engineering forum -- you would expect people on here to be a bit more rational.
The point of removing http:// and www. from the URL is to make the design cleaner and it easier to see what the domain is, because in the *vast majority* of cases those components are unnecessary detritus. There's no grand conspiracy here... but, you can always use another web browsing product, if you truly are worried about Google being evil (I have little doubt they are, but for other reasons). Or I'm sure someone will develop a plug in that restores this data if you need it.
-
Who said anything about any grand conspiracy?
All complaints I have seen is that Chrome is becoming a browser for idiots who don't even know it's possible to browse the Web without Google's services (and it is becoming like that) and of course Google isn't shooting their foot by nudging those idiots to stop being such idiots (and they indeed are not)
-
Still, better than Edge or IE, I use it as work as the default browser, but at home I am using Firefox, just a LTS version that tends to have a lot of the cruft stripped out. That and adblock, ghostery and noscript with ublock as well, strange how many sites are not cluttered with all the ads, plugins and such turned off.
-
And since that 3-byte hash algorithm has to be public, I wonder what would happen if we triggered bucket collisions by creating specially crafted account names somewhere and leaking the passwords to the internet ;D
Early in the morning a group of a few tired officers will deprive you of your electronics for a long time, and you will be informed about Art. 269a KK.
All complaints I have seen is that Chrome is becoming a browser for idiots who don't even know it's possible to browse the Web without Google's services (and it is becoming like that) and of course Google isn't shooting their foot by nudging those idiots to stop being such idiots (and they indeed are not)
I find it pretty amusing to see such extreme opinions about others coming from the mouth (or fingers? :D) of a person, who themself misunderstands the concepts they’re criticizing. Don’t you think it would be wiser to first understand what k-anonymity is, that Google is not the one who invented, proven it (it was Sweeney, the director of the Harvard’s data privacy lab), or even promoted (it was Troy Hunt), what are the factors at play and even such basics as knowing that encryption key being known to everyone doesn’t imply possibility of decrypting data?
-
Unfortunately, almost all Browser 'variations' these days, even the one's I like, all seem to
be 'Chromium' based. However, some have GREAT/DIVERSE options to intervene with settings!
-
And since that 3-byte hash algorithm has to be public, I wonder what would happen if we triggered bucket collisions by creating specially crafted account names somewhere and leaking the passwords to the internet ;D
Early in the morning a group of a few tired officers will deprive you of your electronics for a long time, and you will be informed about Art. 269a KK.
How naive. Even assuming I have never heard about Tor, what if I work for Russian/Chinese intelligence? :P
They better have something stronger to protect their Internet infrastructure than laws.
I find it pretty amusing to see such extreme opinions about others coming from the mouth (or fingers? :D) of a person, who themself misunderstands the concepts they’re criticizing.
What's an extreme opinion about others?
That idiots exist? Dunno, maybe it's extreme, maybe it's not. Look at the Internet for inspiration if you seek the answer to that.
That Google (and other vendors) make software for the lowest common denominator of humanity at the cost of breaking usability for advanced users? This doesn't seem extreme, I think it simply is a fact.
Don’t you think it would be wiser to first understand what k-anonymity is, that Google is not the one who invented, proven it (it was Sweeney, the director of the Harvard’s data privacy lab), or even promoted (it was Troy Hunt), what are the factors at play
No, because I don't care about this feature and have no plans of using it. And I'm not even a Web developer either so I don't have to listen about it at work.
As far as I can see, somebody came up with a way of querying a hashset without the ability to scrap the full set and without disclosing the full key but 24 bits to the service provider. Good for them. And that's all I said (except for the initial SNAFU where I indeed didn't read the full article). Am I wrong?
And you see, this attitude is exactly the reason why everybody hates those damn nerds from Google et al. They (you?) just think the world owes them to understand everything and care whether they are right or wrong. We don't, we don't.
Myself, I just don't wan their crap "innovations" thrown at me without even asking for it. Rest assured I barely use their services anymore and I used to be a fanboy.
and even such basics as knowing that encryption key being known to everyone doesn’t imply possibility of decrypting data?
Oh yes, Mr Smartypants. Now you tell me how the PR blurb I quoted could conceivably be interpreted as involving asymmetric crypto and how that scheme could possibly work? ;D
-
It has been doing that for months (years?) Doesn't seem like any big deal to me because you can click on the address box (as if you were going to Ctl-C copy the URL) and it displays the full URL. :-//
I had to switch to Chrome back when IE was king of the pile because IE stopped displaying actual error messages and obscured everything to generic "Error 500". Making it useless for development and debugging.
Why hide relevant information displayed in a spot reserved for it pretty much from the start? It feels like hiding the fuel level of a car behind a hatch. You won't need to look at it every minute but there are reasons to keep an eye on it.
-
How naive. Even assuming I have never heard about Tor,
If you would never hear about it, you wouldn’t be able to pull off the whole scheme, because no one would believe you if you would start selling poisonous datasets on eBay. However, how naïve to think that Tor can protect against detection with serially committed crimes. I believe you misunderstand what Tor protects as much as you misunderstood what Google does.
what if I work for Russian/Chinese intelligence? :P
Then I would say they have greatly lowered their standards.
They better have something stronger to protect their Internet infrastructure than laws.
Laws are an important element of defence in depth, and in this case they may even provide the basis of the protection. I believe you miss the amount of illegal work you would have to do to poison that hashtable. Creating tens of millions of fake but unsuspicious accounts, attacking a dozen of high-profile companies, accepting payment for the “stolen” data and then acting as if you were actually spending it (and I remind you most cryptocurrencies are more traceable than wire transfers). Good luck if you are not in fact an APT. All this to make Google… introduce a 5 minute fix: adding a configurable salt.
What's an extreme opinion about others?
That idiots exist? Dunno, maybe it's extreme, maybe it's not. Look at the Internet for inspiration if you seek the answer to that.
You haven’t said “idiots exists”, which would be a purely statistical statement. You pointed to very specific people. Even worse, the tone of that statement suggests that you feel superior compared to them.
That Google (and other vendors) make software for the lowest common denominator of humanity at the cost of breaking usability for advanced users?
As it happens, “the lowest common denominator”, your Untermensch, are the ones who are providing nearly all of the income to Google and therefore are the ones for which the company will care most in the situation when they have to choose how to allocate money. No one is preventing you and other “advanced users” from forming your own company that will cater to the needs of “advanced users” — using your money. You may just be surprised when you learn that your “advanced users” are merely people, who simply refuse to adapt and it has nothing to do with actual usability, and you are ending up with software that can satisfy none of them.
Don’t get me wrong: I dislike many changes too. I am unhappy with many changes that in fact saved little resources. But the reaction I see here is way too exaggerated and many claims are plain wrong.
(…) They (you?) just think the world owes them to understand everything and care whether they are right or wrong. We don't, we don't.
And that is the problem. There is a difference between opposing change that harms you, and not being able to accept change at all. Perhaps you should start caring about what’s right or wrong for you? If you use a password manager and long pseudorandom passphrases, which indeed makes the feature unimportant and you may stay with notifications about leaks for the given domain, then fine. But otherwise not using password checks like this is hurting your security much more than even revealing your whole password set to HIBP or Google in plaintext.(1) You are not exceptional, you are not magically protected from threats everyone else is vulnerable to.
Myself, I just don't wan their crap "innovations" thrown at me without even asking for it. Rest assured I barely use their services anymore and I used to be a fanboy.
Unless you are a very rare breed of user that runs with 3rd party servers blocked and JavaScript disabled, you are unlikely to not use their services, or not being observed by them. In particular in Poland, where half of your email correspondents are in the Gmail domain or their mail is forwarded to their Gmail accounts. That includes revealing your passwords to Google.
Oh yes, Mr Smartypants. Now you tell me how the PR blurb I quoted could conceivably be interpreted as involving asymmetric crypto and how that scheme could possibly work? ;D
It could be interpreted as anything. Neither interpretation is more likely than the other.
Why hide relevant information displayed in a spot reserved for it pretty much from the start? It feels like hiding the fuel level of a car behind a hatch. You won't need to look at it every minute but there are reasons to keep an eye on it.
Because, unlike fuel level, it is not relevant at all during normal use. Whether it is HTTP or HTTPS is not providing you with much useful information while simply browsing.
____
(1) Except for intranet passwords: in their case there are some arguments to weight. But this is unlikely to be what concerns most people commenting on this subject.
-
Except that the full address can be useful and not just because of SSL. There's no reason to hide it while there are reasons to view it.
-
And what are the reasons to see the scheme name other than debugging broken servers? Though even that can be done by simply realizing that non-TLS connections will not have a certificate.
-
For me the reason is that I absolutely hate when thing jump around. And that's exactly what happens when you click on the address bar to select and copy the URL. And now I have to make more mouse movements to get back to the point of the text I wanted to select.
Plus there is absolutely no need for this. The address bar is long and saving 5 characters is not that significant.
-
Reminds me somewhat of those idiot web pages where the last bit of a section of text fades away and you have to click "More..." to see the rest of it. What do those fools think they are saving? Certainly not paper. It can annoy the user and cause them a bit more work though. It's almost funny how often "more" turns out to be less than another full line.
For me the reason is that I absolutely hate when thing jump around. And that's exactly what happens when you click on the address bar to select and copy the URL. And now I have to make more mouse movements to get back to the point of the text I wanted to select.
Plus there is absolutely no need for this. The address bar is long and saving 5 characters is not that significant.
-
For me the reason is that I absolutely hate when thing jump around. And that's exactly what happens when you click on the address bar to select and copy the URL. And now I have to make more mouse movements to get back to the point of the text I wanted to select.
The first comment in this Goofle-bashing thread that actually raises some real issue. Yes, that makes sense. But, still, you can disable the feature.
Plus there is absolutely no need for this. The address bar is long and saving 5 characters is not that significant.
It is not only about the length. That’s also about radability. For people less familiar with technology the full URL is just: “gIbB:/ErI/Sh.important.part/gib/ber/ish?and=more&meaningless=giberish&with=hofok9n1f5a1cf1ckztxjg2xceqfn8na9rhprgy0coczbv3g2rxzx9qd”. Trimming reduces that to: “important.part/gib/ber/ish?and=more&meaningless=giberish&with=hofok9n1f5a1cf1ckztxjg2xceqfn8na9rhprgy0coczbv3g2rxzx9qd”. Yes, perhaps it would be great to live in a world in which each and every person understand what the “gibberish” part is. But this is not happening and there is no reason to think it will happen. Sometimes reality sucks, happens.
For many people, who think they understand URLs, and most people to whom I talked and who believed they have a practical use for the full veresion in everyday browsing, it was even something else: “misinterpreted://important.part/gib/ber/ish?and=more&meaningless=giberish&with=hofok9n1f5a1cf1ckztxjg2xceqfn8na9rhprgy0coczbv3g2rxzx9qd”. :)
-
But this is not happening and there is no reason to think it will happen.
I imagine many centuries ago, people thought there was no reason to be literate.
Of course, the difference between then and now is that now we have big companies who don't want people to know too much, so they can keep them ignorant and under control...
-
For me the reason is that I absolutely hate when thing jump around. And that's exactly what happens when you click on the address bar to select and copy the URL. And now I have to make more mouse movements to get back to the point of the text I wanted to select.
The first comment in this Goofle-bashing thread that actually raises some real issue. Yes, that makes sense. But, still, you can disable the feature.
Except you can't.
Plus there is absolutely no need for this. The address bar is long and saving 5 characters is not that significant.
It is not only about the length. That’s also about radability. For people less familiar with technology the full URL is just: “gIbB:/ErI/Sh.important.part/gib/ber/ish?and=more&meaningless=giberish&with=hofok9n1f5a1cf1ckztxjg2xceqfn8na9rhprgy0coczbv3g2rxzx9qd”. Trimming reduces that to: “important.part/gib/ber/ish?and=more&meaningless=giberish&with=hofok9n1f5a1cf1ckztxjg2xceqfn8na9rhprgy0coczbv3g2rxzx9qd”. Yes, perhaps it would be great to live in a world in which each and every person understand what the “gibberish” part is. But this is not happening and there is no reason to think it will happen. Sometimes reality sucks, happens.
For many people, who think they understand URLs, and most people to whom I talked and who believed they have a practical use for the full veresion in everyday browsing, it was even something else: “misinterpreted://important.part/gib/ber/ish?and=more&meaningless=giberish&with=hofok9n1f5a1cf1ckztxjg2xceqfn8na9rhprgy0coczbv3g2rxzx9qd”. :)
URL is full address. Nobody wants to understand it. So they took complete full address (that is not human readable sometimes) and changed it to "and here is some computer shit" label.
So, because I don't know how to read and pronounce japanese, instead of me verbatim copying address (without understanding that translated it means "Maple leaf streat") of my Japanese friend in Tokyo, I will simply address my letter to : Matsuo Mori, some japanese shit 13, Tokyo.. See, that's better, much easier.
Rewriting is,also, basically, address spoofing. Which I have no paranoia that Google will steal my life, but opens a wormhole that if someone really spoofs address, nobody will notice, because you will have no clue how it is supposed to look anyway. And also, if I want to open that same address in some other browser that is not Google based, will I be able to.. You would be surprised how many non tech people are not using copy-paste. They open second window and start typing address as they are see it..
It also poses a legal problem: what site did I went too, really? No problem judge, I have a screenshot here.. ups...
Address rewriting is a solution to problem that doesn't exist, except in the heads of graphic designers and marketing dept. That think it makes browser look techy and complicated. They like clean look so much that, if you ask them, there would be only on-off button on browser, and no other stuff to "confuse" user. "..You don't really need to USE it, do you... Because, look a it, it's so pretty this way, no need to clutter it with that functional shit......"
As somebody said once: "If you make a program that any idiot can use, only idiots will want to use it..."
We are getting there fast...
-
I believe you miss the amount of illegal work you would have to do to poison that hashtable. Creating tens of millions of fake but unsuspicious accounts, attacking a dozen of high-profile companies, accepting payment for the “stolen” data and then acting as if you were actually spending it (and I remind you most cryptocurrencies are more traceable than wire transfers).
If it's only passwords of accounts which had in fact been hacked then fine, that would be hard to pull off. If it contains also things like username/password lists which have been seen on some shady marketplaces or even pastebin, that could be easier. Bonus if you mix it with legitimate data. Don't tell me you have never hacked your way into a database of 100% reliable PII of thousands of people :P
And it would probably only take on the order of 100k accounts to make your Chrome downloads megabytes of junk every time you type "golden_label" into a login box here.
I take the point that they might be resalting the database every 24h or whatever, which would make the attack quite infeasible.
Perhaps you should start caring about what’s right or wrong for you? If you use a password manager and long pseudorandom passphrases, which indeed makes the feature unimportant and you may stay with notifications about leaks for the given domain, then fine. But otherwise not using password checks like this is hurting your security much more than even revealing your whole password set to HIBP or Google in plaintext.(1) You are not exceptional, you are not magically protected from threats everyone else is vulnerable to.
Perhaps you should stop caring about what's right or wrong for me.
I don't use a password manager :P
I don't send every domain I visit to Skynet for approval, that's what Chrome users do ;D
I don't need Skynet to tell me about breaches at all. The few actually important services that I use over the Internet are important enough that I expect them to lock the account immediately and notify me about breaches. The rest I could live with losing.
You know the old joke:
noob's password: suzy, because nobody on the 'net knows his girlfriend's name
lamer's password: 5uz131337666, because nobody could possibly guess that <-- you are on this stage ;)
hacker's password: suzy, because anyone who wants will hack it anyway 8)
It could be interpreted as anything. Neither interpretation is more likely than the other.
"Anything" is not an example, Mr Relativist.
You cry that I implied you might be an idiot because you appear to use a browser made for idiots but you yourself have no problem babbling that I don't understand the basics of the field I'm talking about without giving proof :P
-
I was bitten by this in september: "No, it wasn’t a virus; it was Chrome that stopped Macs from booting"
https://arstechnica.com/information-technology/2019/09/no-it-wasnt-a-virus-it-was-chrome-that-stopped-macs-from-booting/
Needless to say, no more Chrome for me. GRRR. Never again.
Check out Brave guys. Really. It's from the guy that invented javascript, and co-founder of Mozilla. He knows a thing or two about the web...
https://brave.com/
AND PRESS CMD-L TO SEE THE PROTOCOL IN THE ADDRESS BAR
-
The root directory, /, must be writable by the logged-in user
:wtf:
It's from the guy that invented javascript
Not sure what to think about it :P
I hope he regrets it at least a little ;)
-
The root directory, /, must be writable by the logged-in user
:wtf:
It's writable because the google updater runs with setuid privileges.
$ ls -la /var
lrwxr-xr-x@ 1 root wheel 11 Aug 1 2015 /var -> private/var
It's from the guy that invented javascript
Not sure what to think about it :P
I hope he regrets it at least a little ;)
Meh, Larry Wall and Rasmus Lerdorf ought to apologize first... ;D Would you have preferred VB scripts?
-
Would you have preferred VB scripts?
:-DD
Glad that you ask, there actually was a time when young me would have answered yes ;D
I totally sucked at English at the time and it took me several painful months to learn even the basics (no pun intended :P) of JavaScript.
I think Perl would be better. Higher barrier to entry, less code created (good thing IMO), more prestige and job security for those actually able to do something useful with it. No minifiers, no obfuscators, life would be happier for developers in so many ways :)
-
But this is not happening and there is no reason to think it will happen.
I imagine many centuries ago, people thought there was no reason to be literate.
Please read carefully. I have written “there is no reason to think it will happen”, not “there is no reason [to make] it happen”. :)
Of course, the difference between then and now is that now we have big companies who don't want people to know too much, so they can keep them ignorant and under control...
Oh, conspiracy theories again on the rise! Lizard people are upon us! :scared: :D
For me the reason is that I absolutely hate when thing jump around. And that's exactly what happens when you click on the address bar to select and copy the URL. And now I have to make more mouse movements to get back to the point of the text I wanted to select.
The first comment in this Goofle-bashing thread that actually raises some real issue. Yes, that makes sense. But, still, you can disable the feature.
Except you can't.
So all the sources claiming it can be disabled under “chrome://flags/#omnibox-ui-hide-steady-state-url-scheme-and-subdomains” are lying?
URL is full address. (…)
Yes, if one makes a-priori an assumption that the address bar should display URLs, then indeed the discussion is over before it is even started. By this logic I could argue that a link to the forum from the main EEVblog page is wrong, because EEVblog needs no forum. You would argue that there is a fault in my logic, because the premise was never stated or proven — and you would be right. In the same way you make an assumption that this field should show an URL.
Rewriting is,also, basically, address spoofing.[ Which I have no paranoia that Google will steal my life, but opens a wormhole that if someone really spoofs address, nobody will notice, because you will have no clue how it is supposed to look anyway.
That means the attacker would be able to spoof the second-level domain too, so why even bother going for the lower ones and, what the hell, use different name if they can spoof the original one? Assuming someone would do that for whatever reason, how does e.g. “www.yourbank.example” look more suspicious than “m.yourbank.example”? :o
And also, if I want to open that same address in some other browser that is not Google based, will I be able to.. You would be surprised how many non tech people are not using copy-paste. They open second window and start typing address as they are see it..
That may be a valid point, but it is a minor issue to solve, not a feature blocker. Nowadays those prefixes are seldom used to distinguish servers. If present they are usually used for determining the website type to use: mobile or not. And in particular the “www” and second-level-domain-only addresses are aliases to each other used for backward compatibility. Doing otherwise becomes a pointless practice, considering that now you must have the second-level domain point to something to get HSTS preload. So the problem is not huge and existing trends make it smaller with time.
An argument similar to yours can be made for the opposite claim: people are also moving addresses from mobile devices to PCs and vice versa. Explicitly requesting the mobile-version address on a PC or the other way around is also a problem to the user. Have you considered that?
It also poses a legal problem: what site did I went too, really? No problem judge, I have a screenshot here.. ups...
“Look, judge, I have this screenshot here… just please ignore the possibility that I have just edited the URL and you can’t even detect the edit.” If a judge allows screenshots as proofs that one has visited a given URL, there is a problem orders of magnitude larger that how browsers work. :)
Even without editing anything a URL is useless by itself. The displayed URL can differ from the actual URL for ages and in JavaScript-heavy pages it is typical that what you see on the screen is not even addressable.
Address rewriting is a solution to problem that doesn't exist, except in the heads of graphic designers and marketing dept. That think it makes browser look techy and complicated. They like clean look so much that, if you ask them, there would be only on-off button on browser, and no other stuff to "confuse" user. "..You don't really need to USE it, do you... Because, look a it, it's so pretty this way, no need to clutter it with that functional shit......"
Perhaps you should start taking other people’s views into account? Your perspective is not the only one and it alone is not the best one.
You cry that I implied you might be an idiot
Except that you have never called me an idiot. So far.
because you appear to use a browser made for idiots
So if Firefox is made for idiots, which one is not?
but you yourself have no problem babbling that I don't understand the basics of the field I'm talking about without giving proof :P
In such cases the proof is very simple. It consists of two parts. First: you see a person who is consistenly misunderstanding the subject of the talk and misinterprets issues under discussion. Second: the person repeatedly invokes misconceptions which are unexpected to be used by a person knowing the subject.
I assume there is no point in responding to the rest of the message, as you seem to be mainly concerned about defending yourself against having to explore other perspectives. Indeed, it is easier to explain world in terms of “others are idiots” — it requires no thinking whatsoever.
-
For me the reason is that I absolutely hate when thing jump around. And that's exactly what happens when you click on the address bar to select and copy the URL. And now I have to make more mouse movements to get back to the point of the text I wanted to select.
The first comment in this Goofle-bashing thread that actually raises some real issue. Yes, that makes sense. But, still, you can disable the feature.
Except you can't.
So all the sources claiming it can be disabled under “chrome://flags/#omnibox-ui-hide-steady-state-url-scheme-and-subdomains” are lying?
No they are not lying. It used to be possible. Chrome 79.0.3945.117 on PC has that option removed. So it is not possible anymore. And also, that option should be put in GUI advanced options for simple user configurability, not in flags... Check your facts before fighting people...
See:
https://community.brave.com/t/display-full-url/89775
https://support.google.com/chrome/thread/23036602?hl=en
URL is full address. (…)
Yes, if one makes a-priori an assumption that the address bar should display URLs, then indeed the discussion is over before it is even started. By this logic I could argue that a link to the forum from the main EEVblog page is wrong, because EEVblog needs no forum. You would argue that there is a fault in my logic, because the premise was never stated or proven — and you would be right. In the same way you make an assumption that this field should show an URL.
What else a text box, that used to have title URL written next to it in older browsers, should show?
Address rewriting is a solution to problem that doesn't exist, except in the heads of graphic designers and marketing dept. That think it makes browser look techy and complicated. They like clean look so much that, if you ask them, there would be only on-off button on browser, and no other stuff to "confuse" user. "..You don't really need to USE it, do you... Because, look a it, it's so pretty this way, no need to clutter it with that functional shit......"
Perhaps you should start taking other people’s views into account? Your perspective is not the only one and it alone is not the best one.
I agree with that. Well said. That is EXACTLY what seems to be that people in this thread are trying to explain to YOU...
So we can agree to disagree..
Look, I don't mind if they make some things that are controversial. Beauty of software, is that all that is needed is a stupid check box somewhere in Settings, that says "Simple/Expert mode" or something like that. So you and I can both use it any way we want. But they are not "simplifying" anything, just making it crippled.
-
I assume there is no point in responding to the rest of the message, as you seem to be mainly concerned about defending yourself against having to explore other perspectives. Indeed, it is easier to explain world in terms of “others are idiots” — it requires no thinking whatsoever.
What other perspective? That I could be making easy money by creating increasingly complex byzantine shit that people could frankly live without and becoming a SPOF for billions of idiots who trust me with their data?
In case it still hasn't dawned on you :P I am from the software industry and I know it inside out and I know all the "perspectives" and "their-stories" and "narratives" of Silicon Valley and their copycats worldwide.
You are not here to change the world and many people are perfectly satisfied with it as it is, without your "progress" and "innovation". Better get used to it.
-
Would you have preferred VB scripts?
:-DD
Glad that you ask, there actually was a time when young me would have answered yes ;D
I totally sucked at English at the time and it took me several painful months to learn even the basics (no pun intended :P) of JavaScript.
Most people who think they hate JS what they hate is the DOM (and rightly so!) but they don't know it because they can't distinguish one thing from the other. JavaScript deserves a big :-+
Have you tried out Brave already?
-
Is Vladimir Putin paying you for promoting it? ::)
I still use FF. Too much vendor lockin with all the extensions.
As for JS, well, there are people who hate it as a language too. There are some questionable design choices like "undeclared variables become globals", "numbers are floating point" or the bizarro comparisons. I'm sure you have seen the WAT talk too ;)
Also, it's not just the technology but the effects it has. These days you often need to download megabytes of JS libraries just to see some stupid static text |O
It really should have been Perl, COBOL, Intercal or something else that would make people think twice before using it at all. >:D
Back on topic, the whole "confusing URL" controversy is a complete nothingburger. Here, how FF solved it many years ago and I had an extension which did the same long before 2010. The extension even separately colored the ? and all the request parameters. How awesome is that?
[attachimg=1]
-
Too much vendor lockin with all the extensions.
I don't get it... What do you mean?
There are some questionable design choices like "undeclared variables become globals"
That's been fixed a long time ago: "use strict"; (function () { b=5 })(); => Uncaught ReferenceError: b is not defined
"numbers are floating point"
That's a :-+ not a :--.
or the bizarro comparisons
Just don't use == but ===. Yes, some objects still have the wrong typeofs, but that's only a trap for noobs. And to be fair, every language comes with its own footguns. JS unlike other languages can't remove the bad parts because it would break the web => you have to learn not to use them.
Also, it's not just the technology but the effects it has. These days you often need to download megabytes of JS libraries just to see some stupid static text |O
99% of the web is written by throwing libraries on top of libraries/library plugins to do what in many cases could have been done with direct calls to the DOM in 10 lines of JS, yes.
*** Use Brave. Check it out. Now! :box: ***
-
Browser extensions. Those things that add syntax highlighting to the Google Content Identification Bar™ (formerly known as URL bar) and much more. Use them. Your first one is free.
-
And what are the reasons to see the scheme name other than debugging broken servers? Though even that can be done by simply realizing that non-TLS connections will not have a certificate.
Just look at the additional information in the address of this forum page for an example of extra information. I can see the page should be SSL secured, I can see the page is PHP and the query I can see the original title which can change along the way in some threads and I can see page size. That's just one example. Why obscure it when the bar is there already? I could tape up the temperature gauges of my car but I'm not going to do that either.
-
No they are not lying. It used to be possible. Chrome 79.0.3945.117 on PC has that option removed. So it is not possible anymore. And also, that option should be put in GUI advanced options for simple user configurability, not in flags... Check your facts before fighting people...
TIL presenting a different opinion is “fighting”. I don’t know why some people feel so threaten by that, but it’s probably not really important. As for the facts, see what version has spawned that discussion.
What else a text box, that used to have title URL written next to it in older browsers, should show?
What else mains sockets, that used to have unearthed 110V in older apartments, should offer in 2020? Hey, who said it must be as it was in old browsers? Why do you assume that 1990s UI is the best ever invented?
But IMO? The domain for which the certificate is issued, followed by website-supplied location information. The first part is delivering the actual information about the server’s identity — unlike the URL bar, which just tells you where you intended to go, not where you actually are. The second part is offering the navigation options, instead of just displaying some characters that are both meaningless and useless to most users, and also a constant source of authentication token leaks. For fallback on unauthenticated servers: the FQDN (w/o the common target-device/alias hostnames) or an IP address. For servers that do not offer location information: the resource name w/o the query and fragment. Of course that doesn’t prevent either reading, copying or entering raw URL for anyone who does want that.
Before you start opposing that idea: the second part, the location information, is already reality. You are over 10 years too late to protest ;). The only difference I propose is offering the user a semantic and useful view of that information.
If you have missed the change, it’s likely because only a small group of extremists, like myself, made any fuss about it. And the arguments raised back then are no longer valid, since the important vulnerabilities were fixed. I guess that if Chrome would not hide the scheme along with the hostname, most people would miss that change too. :D
I do not know how the certificate view looks in Chrome nowadays, but if it does as it was in the past, it should also be removed. Mozilla is already working on that, eliminating the ridiculous 4-click process of getting the contents of the certificate. If you want to try it yourself, see the Certainly Something extension on which the actual implementation is going to be based. The other things I disliked are already removed: special indicators for the EV certs and green bars/padlocks/whatever for TLS connections.
I agree with that. Well said. That is EXACTLY what seems to be that people in this thread are trying to explain to YOU...
So people made the thread to make me see views different than theirs, despite they didn’t know my views before I joined? I miss a head-scrathing emoticon right now. :D
A quick recap. A rant was started about the change, with arguments indicating a very specific, narrow view from tech-focused people. I have joined, showing a different perspective on the same issue. Not even my own ideas on how it should look like. I also poked some people to make them stop for a moment and see that they’re not the only humans on Earth and they’re not even a representative sample of the species, and to make them realize that some they seem to be overestimating importance of the change to their own real use of some feature. I have offered my own view in this very post you’re reading right now. So… who was showing me what, and how?
Oh, and of course I couldn’t resist ridiculing a few people who believe in conspiracy theories or consider themselves superior to the general population despite they themself repeatedly show lack of understanding of the subject. Yeah, forgive me — but I guess this isn’t what you were referring to.
We’re talking about what I did 5 months ago, so if I missed something, correct me.
And what are the reasons to see the scheme name other than debugging broken servers? Though even that can be done by simply realizing that non-TLS connections will not have a certificate.
Just look at the additional information in the address of this forum page for an example of extra information. I can see the page should be SSL secured, I can see the page is PHP and the query I can see the original title which can change along the way in some threads and I can see page size. That's just one example. Why obscure it when the bar is there already? I could tape up the temperature gauges of my car but I'm not going to do that either.
Please, do not ask me to look at it, because I am not a good representative of the general population. And don’t tell me what you see: for exactly the same reason. Ask what an average user can see and of what value is it to them.
However, going step by step over your points just to explore the subject… I can’t see what you have described, as I see that right now:
[attachimg=1]
What does it tell me?
- It tells me that the initial request to the server was made through HTTPS. It tells me nothing about the rest of the communication. Using the car analogy: the car is displaying how much fuel you got when you started the engine.
But asume for a moment everything goes through HTTPS. Do I care? Nope — I care about being warned if I connect through unsecured connection, not when something that should be the default happens. Using the car analogy: I want my car to show me a warning light if I travel with open doors, not to light it when I have the doors closed. - It tells me that the server accepts TLS connections. Is it important? No. Anyone, including any attacker, can have HTTPS. If you go to any phishing website, guess what you will see: a perfectly valid secure connection. What is important is that the certificate is issued for the server to which I am willing to talk to. Can we see that in the URL bar? No.
- It tells me I have requested my browser to connect the server which I believe is Dave’s website. Did I connected to it? I can’t tell, because the URL bar is only displaying the request. If a DNS record is spoofed, and this is a trivial task for anyone administrating the network the victim is using at the moment, the URL bar will still be telling me I am at eevblog. Of course if the connection is authenticated and I check the certificate that is not possible, but that is not being displayed. Using the car analogy: you have enabled your rear lights and you see indication that they are turned on, but in reality the car is only telling you if you have flipped the switch.
- It tells me I am reading a resource named “/forum/chat/”. I am a smart guy ;), so I recognize that patter immediately! It means I am reading something on a forum, perhaps in a chat! Wait… what chat? And why I feel like I am writing, not reading?
- It tells me that the browser (because, obviously, not me) have asked for the resource to be supplied with two parameters: action=post2 and start=0. So… what does that exactly mean? Reading the second post? Having a form to send two posts at the same time? Is there post1 or post3? And why am I starting at 0? 0 of what? And what about billions of those less fortunate folks who have no idea about the URL format and what parameters are in programming?
Now… let’s come back to the URL you have probably seen. What was the value of the information you have received?
- Page should be SSL secured? Only the initial request was. In fact a non-secured connection has been made to a third party server, because this forum allows users embedding resources and GeorgeOfTheJungle has an avatar that uses plain old HTTP.
- The page is PHP. If I would be pedantic, I would argue that you only see that the server claims it is PHP, or even that the link points to something that looks like a PHP script. But let’s assume the more probable case, that it is in fact a PHP script. Why would you care about that as a user of the forum? Does it make any difference to you if the software, which is only running on the server, is written in PHP, Java, Python or Lisp? And how many people in your family can explain what PHP is? Will someone avoid ASP scripts in fear of being bitten? ;)
- The URL displays title. In fact it does. So does your browser elsewhere (for most people: the title bar). And it does it better, because it shows the whole title, while URL is a SEO effort that removes some words, truncates the title and adds dashes.
- The page size. Only if you divide that by the page number, which you must look up at the top or the bottom of the thread. :D
- … and let me come back to that SSL security. “Secure” is an tricky adjective, because it’s a scale, not a binary value. So what kind of security are you expecting? Only content from Dave, except text? No, users may post images and other files. No other parties being informed about your activities on the EEVblog forum? Just that form wants to connect to 4 other services, two of which are specifically collecting data about users. And it becomes worse in various image-rich threads. That all links leading from the forum will be secure? No — they may be plain HTTP, or get redirected from HTTPS to HTTP without you having any chance to intervene. Thanks to link rot some of them will also lead to malicious websites. That your credentials will be sent securely? No — the form may be sent through insecure channel and you will see that only after they are sent. That no one has access to the credentials before you even send them? Again, bad news: just this page is trying to run software from 3 different suppliers. Good that at least all of them go through authenticated channel!
I like the idea of readable URLs. But usually they are not. With CDNs becoming more and more popular meaningless URLs become even more popular. SEO makes them seem readable… until you realize that very often this is just a bunch of keywords mixed with an identifier and a couple of other numbers. :)
-
What else mains sockets, that used to have unearthed 110V in older apartments, should offer in 2020? Hey, who said it must be as it was in old browsers? Why do you assume that 1990s UI is the best ever invented?
Notwithstanding occasional issues with overzealous RCDs, we don't complain because by some miracle the electric power industry is much better at backwards compatibility than Google could ever dream of.
We are talking about the URL bar. Uniform Resource Locator they call it. It doesn't tell you whether all your data are encrypted. It doesn't tell you whether the browser has verified the peer's identity. It doesn't tell you that your CAs have been compromised by your employer or government for HTTPS proxying. It isn't supposed to warn you about pedophiles.
It is a unique identifier of whatever thing you are viewing. Some services make efforts to make it human readable, others less so. Sometimes it will show the same thing when you reload, sometimes it won't. At any rate, you can try copy it, you can bookmark it, you can post it on a forum, you can punch it in and press ENTER. That's the whole purpose this thing had ever had.
Imagine that there actually exist other, dedicated UI elements for information about TLS status, certificates, unencrypted content and bullshit like that. If people still fall for phishing or MITM in 2020, it's not because they have seen HTTPS rather than HTTP on their location bar, it's because they failed to read what the green bar next to it says or ignored a big exclamation mark or clicked through a warning telling them exactly what is about to happen.
Breaking the URL bar is not going to provide the user with more information. And there is absolutely no excuse for going as far as even removing the option to restore normal operation.
TIL presenting a different opinion is “fighting”. I don’t know why some people feel so threaten by that, but it’s probably not really important.
Oh really?
Because it looks like a dozen people are hammering a point at you and it's you who just keep coming up with mental gymnastics to justify Google at all cost.
-
Just noticed the url is at the top of the title and it looks a little like they shortened some of them in their so called breadcrumbs but not all of them.
See attached picture.
What I do, I search with DuckDuckGo and then with Google search as they seem to display different results sometimes.
-
I noticed that too, and adjusted my filter to put it back to what it should be.
-
I am finding the text a bit big that I had zoom out.
Your screenshot looks really nice.
Don't suppose you can share your filter/method?