Redirecting you to
Click if you are not redirected within 5 seconds
USD
Support
Contact Us
Podcast May 16, 2023

Root Causes 303: A Return to Chrome and the Address Bar

In our recent episode 300 we discussed Chrome's upcoming removal of the lock icon from its interface. In this follow up, we catch the listener up on Chrome's longstanding program to minimize the URL in its interface, even to the point of contemplating removing the address bar entirely.

  • Original Broadcast Date: May 16, 2023

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    I’m gonna take you back to our recent episode 300. Chrome Eliminates the Lock Icon. And you and I were talking about, as the titles suggests, that the lock icon itself is going to be leaving the Chrome interface very soon. I believe it was in the month of September coming up. And at the time, we speculated - I think you brought it up to say, wasn’t Google planning on eliminating the URL entirely and we both said, yeah, gee, I think they were. I need to remember the specifics. So, we went away. We did a little research and we just want to share with the readers what we found.

  • Jason Soroko

    It turns out that there was some merit to that. Yeah. Go ahead with that, Tim. I think it’s interesting.

  • Tim Callan

    So, for everybody’s reference, I want to reference a September 4 article from 2018 from Wired Magazine. Lily Hay Newman and the headline is Google Wants to Kill the URL. And this is a story about Chrome basically questioning the URL in various ways. This is from 2018 and in particular, there is a quote here we want to read. This quote is from Adrienne Porter Felt who is an Engineering Manager at Chrome – or was at the time. I don’t know if Adrienne is there anymore or not but, “People have a really hard time understanding URLs. They’re hard to read, it’s hard to know which part of them is supposed to be trusted, and in general I don’t think URLs are working as a good way to convey site identity. So we want to move toward a place where web identity is understandable by everyone—they know who they’re talking to when they’re using a website and they can reason about whether they can trust them. But this will mean big changes in how and when Chrome displays URLs.”

    So, that’s the quote and that was connected to a series of moves that Google made. One of the things that they did was they eliminated the www and the https, and those just didn’t display anymore. Another thing that they did was they got rid of everything past the first slash. So, you know, if I was going down a series of pages, it might say Sectigo.com/shop/SSL. Right? And they would get rid of everything after the .com. So, those are a couple of things that Google did in this minimize the URL exercise during which they also, of course, as we know, gradually reduced and eventually eliminated the EV indicators. And all those things kind of happened simultaneously more or less between 2018 and 2020 or 2017 to 2020 or so.

  • Jason Soroko

    That is totally consistent with what I remember for sure.

  • Tim Callan

    So, then we kept researching and I want to reference an Ars Technica article. This is by Ron Amadeo. The date is June 11, 2021 and here is the headline – Google Chrome ends its war on address bar URLs for now at least. And in this article Ron reports – and this is actually a neat little bit of reporting. I want to share this. At the time Google had stripped down the URL, like I said, to get rid of everything after the .com. So it would only show the new URL path or only show the main part of the article. But then something called Android police spotted… I’m gonna just quote from Ron’s article if that’s ok. “Android Police spotted a post on the Chromium bug tracker announcing that Google is killing the idea. Back in June 2020 when the experiment was kicking off, Google engineer Emily Stark explained that the company was experimenting with a simplified URL display ‘to understand if it helps users identify malicious websites more accurately.’ It's a year later [as of writing], and Stark writes that the ‘simplified domain experiment’ will be deleted from the codebase, saying, ‘This experiment didn't move relevant security metrics, so we're not going to launch it.’” With a frowny face.

    So, there you go. That tells a lot I think about this, this idea that the Chrome team had that the URL should be minimized or maybe ultimately destroyed or ultimately replaced as a source of identity and that ultimately, they left that off a couple years ago for the simple reason that it was ineffective.

  • Jason Soroko

    By ineffective it sounded like, according to the quote – what was it? It was a tweet or something. I don’t know what it was here but I’m looking right at that quote as well. It looks like it was, you know, it was saying with the word security metric so, obviously, they are measuring some sort of security metric and presumably, do customers of Chrome, users of Chrome understand what site they are on? Are there different ways of flashing up warnings to users when they are on a known bad site? I don’t know what the metrics were but I’m presuming that getting rid of the address bar completely is not something they had figured out how to improve security.

  • Tim Callan

    I have paid a bit of attention to what the Chrome UX team does with their public communications, and they act a lot like academics do in that they publish papers and sometimes they put those papers in the same places that you would see pure academic research. They also give talks. They give talks at conferences and things, and I’ve actually had the opportunity to see Emily Stark present. I’ve had the opportunity to see some other people on that team present and I’ve read a decent number of these papers when they come out. So this is me just kind of summarizing. Forgive me if I don’t get everything quite right, but it’s the impression I got is what they always go back to is we have this absolutely massive end value dataset which is the huge number of people who use Chrome, and even if a small percentage of people wind up in a Chrome test cell, that’s still just a very, very, very large number. With this large N value, we believe we can tell you with a great deal of confidence that A works better than B, essentially. So think about it as the same methodology as an AB split test or a multivariate test where they are going to actually present different interface conventions to different sets of users and they are gonna measure the aggregated behavior of those sets of users and then based on that, they are gonna draw conclusions about which interface is more effective in accomplishing the goals that they as a team have set that they want to accomplish. In that way, at least from the pragmatic perspective if I am going to decide which UX decisions are doing the things that I want my software that I control to do, in that way I think that’s very sound methodology.

    Making the leap to treat this like an objective piece of research by a pure academic researcher, there might be a little bit of hair on that. That’s something that we might want to think about and it tends to be presented - - the body English and the presentation is almost like these are extrapolatable facts that we can treat like any other research. I think we could get in debates about well, it’s your interface and you are trying to do something specific and that specific thing is based on your agenda as a company, not based on overall scientific knowledge and so there might be some ways that that’s imperfect. But that’s how they present themselves and what they are trying to accomplish. So, I have to guess that that was the fundamental methodology here. I am not aware of something that says if it was or it wasn’t. But that’s the basic idea. They had some set of browser users who saw a URL, and some set of browser users saw a truncated URL, and then they had some method that they believed indicated that behavior would be different between those two groups. I’m not sure what that would be. And it didn’t occur.

  • Jason Soroko

    It’s all cool. To me it sounds like the fox guarding the hen house and what I’d like to tell Google is, look, that’s great. Do whatever you like. It’s your business but I’m not working with a browser that doesn’t have an address bar. That’s the end of it.

  • Tim Callan

    (laugh) Jason. Well, apparently, other people aren’t either because it looks like they left this particular effort off. So, I think this was an effort that was not successful for them and, again, what are the sum composite total set of objectives they have? You know, that’s not clear and they are not gonna share that. They talk a little bit about security for the user and I appreciate that. You know, Chrome is very interested in promoting a secure web because that way more people use it, and that means more people use Google, and more people use their search, and they get more paid search. I understand why all of that is built in, but that doesn’t mean that there can’t be very specific objectives that Chrome has that are specific to Google and its intentions and its desires, and the Chrome browser would be a very powerful tool for Google trying to bring about a global web environment that was advantageous to its other initiatives or the sum total of its initiatives as a company. I could absolutely see Chrome being pointed at that and also could absolutely see that being something that they decide not to go out and proactively publish in academic journals and to display on stage in UX or academic kind of environments. So, in that regard, how much of the picture are we getting? Nobody who doesn’t work for Google is ever really gonna know.

  • Jason Soroko

    Wow. I’ve actually for realsees been in the business of publishing peer reviewed academic journal articles and I could tell you that quite often your stuff wasn’t fully respected until a completely independent group of people did the same of work and came to the same conclusion.

  • Tim Callan

    That’s a valid point. There is not really a concept of reproduction of this research. Like, it’s not possible for anybody who isn’t at the controls of Google Chrome to actually reproduce this research and in that sense, it can’t really be pure. It can’t be equivalent to pure peer review research. But that’s also probably not what Google is after, right? What Google is probably after is - and again, this is just me speculating – is some amount of giving back. I’m sure there is a giving back aspect to it, which is to say, hey, we are learning things; we are gonna tell the community the things we learned because that way other people can act on it, and that’s probably built in. I bet you also, though, there is a PR aspect to this, which is we want the public to think in certain ways about browsers or about elements of browsers or about us as a company. We want to be viewed as good guys not bad guys, and this all ties into those initiatives as well. Again, none of us can really know. This is just me saying what I imagine, but I bet you that that second one is the larger of those two.

  • Jason Soroko

    I think understanding people’s motivations is the key. Whenever people are putting on a lab coat these days to posture, look, I’m doing things the right way, I think you can take all of that with a grain of salt. It may be for the good; it may not be. I think understanding the motivations is clear and the motivation is absolutely they want to maintain and grow their search business and I think that it’s not hard to imagine that one thing they have probably studied very intensively is user behavior within Chrome. They probably know that - - I think I said it on that last podcast. I’ve actually witnessed people do things that I just don’t do myself which is when they want to go to a website, they really think of the Google search box as being the place to navigate to the websites that they want to get to instead of typing Facebook.com, they will type Facebook into the address bar, wait for that searched link to come up, you know, along with all the Google advertising that comes with it and they will happily click on that. They know that behavior. If I’m working for Google I would want to change people’s behavior to be, hey, your internet experience is Google search.

  • Tim Callan

    Sure.

  • Jason Soroko

    You don’t really think outside of it.

  • Tim Callan

    You can see the direct dotted line from that to increasing or preserving Google’s cash cow. That makes perfect sense and you can see the direct dotted line to Chrome existing at all and preserving Google’s cash cow, right? Partly by making a better quality browser that’s safer and works better for people and therefore, causes people to use the internet more or to keep using the internet. I get that, and the fact that that’s an initiative that serves Google’s interests doesn’t mean that it’s a bad initiative. It probably isn’t. Like, make a better browser is a good thing and I’m all in favor of it and whoever makes the money at the end of the day, I’m all in favor of that as an initiative. And also at the same time, you do think why are these papers and presentations and stuff out there? That’s ultimately as a PR exercise. This is them trying to influence human thinking rather than simply making the best possible product. And so, there is an aspect of that that’s visibly built into all of this as well. It’s just good to know it’s all going on. They are a normal company with the normal mix of motivations that drive company behavior.

  • Jason Soroko

    For sure. It’s all good. I think, you know, it comes under buyer beware. I think when it comes to browsing, there is such a tremendous amount of apathy around how the tool works and people seem to be very, very happy to be influenced by whatever forces that are there that - - Google knows this and they are gonna capitalize on that apathy. They are gonna capitalize on the fact that people don’t really think about this and, you know, the levels of critical thinking around what people use for their technologies is probably hovering around zero or less. They will capitalize. They are capitalizing. That’s why they are worth the billions that they are.

  • Tim Callan

    They sure are. Alright. So, anyway, we speculated – you and I, just idly speculated whether we would get around to researching this, and we actually did. So, we thought, at that point, why don’t we go back and give the users an update. So, that’s a brief history of Chrome and the URL and today, the URL seems to be alive and well and we can’t promise what will happen tomorrow, but if anything major happens to the URL, we will come back and we will tell you about it.

  • Jason Soroko

    Tim, you know, just a final note for the listener on this, it has to do with we bring up address bar issues a lot on this podcast. You know, it’s a recurring topic and just wanted to reinforce some of the reasons why, and it is because the address bar used to be a clear place where certificates, SSL certificates, PKI, etc., you know, identity, these kinds of concepts were in the past part of the UI elements of a browser and usually expressed through the address bar. What we are now seeing is, with that lock being removed was just about the final nail in the coffin of any sort of upfront, without-any-click, visible, UI element of that world. So, we have witnessed the end of it almost completely. You could still look up the certificate information. You gotta dig for it but it is there. It’s a couple clicks away.

  • Tim Callan

    You do still see https I’m pretty sure.

  • Jason Soroko

    You do in other browsers. You do.

  • Tim Callan

    I’m just gonna check right now. Maybe not.

  • Jason Soroko

    Right now, just happen to be using Microsoft Edge, which is of course, Chromium, and I see it.

  • Tim Callan

    You don’t. I just opened up Chrome. You don’t see https. That is not there.

  • Jason Soroko

    Right. It is there in Chrome and it is there in other browsers. Chrome is in the leading edge of hiding as many of the address bar elements as possible. They are definitely in the lead.

  • Tim Callan

    So, yeah. You are right. Once the lock icon goes away from Chrome, that will be all those original aspects of indication of SSL will be gone. Of course, you will still know that SSL is there because you are not being roadblocked. You’ll be able to get there at all, but that will be a little bit of a bookend or a little bit of a punctuation mark on this long process of the switchover that we discussed in episode 300 of moving from indicating that security is present to assuming that security is present and indicating when it’s not. And that multi-year program that they’ve been on, it feels like taking this lock away is sort of like the very - - it’s just the period at the end of that sentence.

  • Jason Soroko

    Well, Tim. There you go. I don’t know - - this is not the eulogy. It’s merely the reporting of it. Hey, and when Google wants you to put a chip in your head to be able to access the internet at all, we will report on that too.

  • Tim Callan

    And then we’d all be IoT devices. Wouldn’t that be exciting.

  • Jason Soroko

    Oh, I can’t wait.

  • Tim Callan

    We will all be things.

Root Causes - A PKI & Security Podcast

About Root Causes

Tim Callan and Jason Soroko explore the issues surrounding digital identity, PKI, and cryptographic connections in today's dynamic and evolving computing world.

View All Root Causes