As the maker of the world’s most-used web browser, Google has both a moral and maybe even legal obligation to protect the privacy and security of its users. Not all of its efforts have been welcomed without scrutiny, however, as shown by the Privacy Sandbox and FLoC, short for Federated Learning of Cohorts. Even before that, however, Google has been trying to fight off phishing scams by modifying what uses see on Chrome’s address bar. It turns out that strategy wasn’t as effective as it presumed and Google is now backtracking on the position it defended strongly last year.
Many phishing scams rely on people’s tendency not to double-check things, be it numbers that are calling them or the address that websites have. The latter can be even trickier when some phishing sites try to use URLs or addresses that look or sound so close to the original, use extra-long strings of text to deter inspection, or use other tricks to hide their true source. Google’s prosed solution was to hide those URLs altogether and only show the real domain name of the web page.
Last year, Google started an experiment where it would hide all but the domain name of a site in the hopes that it would help users more easily distinguish “google.com” from “gooogle.com”. It is a far tamer option compared to an even older proposal where Chrome would not even show URLs but only search terms. That, of course, presumed everyone uses address bars for directly searching on Google or other web engines.
Now Google is apparently now ending this “simplified domain experiment”, which means it will no longer land on end-users’ Chrome browsers. It simply said that the strategy didn’t move relevant security metrics, which is probably another way of saying it wasn’t actually effective in combating spoofing sites. There is probably an even bigger risk that people won’t give the simplified URL a second look because it actually looked more legit by looking simpler.
Beyond doubts about the effectiveness of the solution, however, Google also got criticized for favoring its own apps and services with this strategy. In particular, it would have hidden Google’s AMP pages from plain sight, driving more traffic to Google’s servers rather than the actual source of those sites.