This article originally appeared on ZDNet.
With the launch of Chrome 69 this week, Google promoted new features and a new look. It gave users months to prepare for Chrome dropping ‘Secure’ from HTTPS sites and adding ‘Not secure’ in red to HTTP sites from Chrome 70.
But for some reason Google decided against mentioning that as of Chrome 69 the world’s most popular browser will no longer show the www. or m. on websites in the address bar because they’re just a “trivial subdomain”. As a result, www.zdnet.com is now displayed as zdnet.com.
For now, users can force Chrome to display the full address by disabling the flag ‘Omnibox UI Hide Steady-State URL Scheme and Trivial Subdomains’ at chrome://flags/#omnibox-ui-hide-steady-state-url-scheme-and-subdomains.
The HTTPS is the ‘state-state URL scheme’ while Chrome now considers the www to be a “trivial subdomain” that the address bar would look better without.
You can still reveal the full URL in Chrome 69 by double-clicking the address in the address bar, and if you copy the simplified address and paste it elsewhere it will display the full address.
Chrome 69’s treatment of www in the address bar is similar Apple’s Safari, but the change in Chrome has caused greater concern over Google’s motivations.
After it all, it went to great lengths to warn users about new ways it would communicate HTTP and HTTPS in the address bar, but stayed silent about dropping an equally important indicator that users expect to see.
In a bug report spotted by The Register, critics have pointed out several instances where two different sites will now look the same, potentially exposing users to phishing attacks.
For example, m.tumblr.com, which is not Tumblr’s site, is shown as tumblr.com, and it’s not immediately clear that http://www.pool.ntp.org and http://www.pool.ntp.org are two different sites. Also, in the case of a domain like ‘www.www.2ld.tld’, the www is hidden twice.
The issue has sparked a debate on Hacker News, where some argue that the change is part of Google’s long-term plan to hide its AMP subdomain and make it indistinguishable from the actual domain.
“And then suddenly the whole world funnels through AMP,” the commenter noted.
Just as Chrome 69 was released, Google told Wired that URLs are failing to convey a site’s identity, so they’re looking for something else that offers more convenience and greater security.
Nonetheless, the impression it’s given is that Google is trying to kill the URL and assert its dominance over the web.
Security expert Scott Helme reckon the change is good, at least from a phishing standpoint, since most users will understand a padlock better than https:// while removing the www means there’s less information to interpret.