Google is testing domain-only URLs in Chrome to help foil scams and phishing
Google is experimenting with showing domain names only in Chrome’s address bar instead of full URLs. The feature will be tested in the upcoming Chrome 86 release, with Google hoping the change could protect users against scams and phishing attacks using misleading URLs.
Domain names and URLs are one of of the most basic forms of web security we have, letting us quickly know where we are online. Sometimes, though, they can be used to mislead. Hackers and scammers often create fake websites that look plausible by using URLs with typos (twittter.com) unfamiliar subdomains (yourbank.sign-in.info) or hyphenated domains (secure-gmail.com). Unsuspecting users then visit these URLs thinking they belong to legitimate companies before being tricked into giving away their credentials.
Some browsers like Safari show only a URL’s domain name in the address bar, partly because it looks cleaner, but also because it makes some of these scams more obvious. If you’re used to seeing facebook.com in your address bar and your browser suddenly shows facebook.com.money.biz.scam.inc instead, you’ll (hopefully) get suspicious.
Google says the new domain-only feature will be shown to a random subset of users in Chrome version 86. The company wants to see if the change “helps users realize they’re visiting a malicious website, and protects them from phishing and social engineering attacks.” If it does, we can probably expect it to become a permanent feature in the future.
If you’re not enrolled in the experiment but want to see what it looks like, you can download Chrome 86 via the canary or dev channels, open chrome://flags, enable the following flags, #omnibox-ui-reveal-steady-state-url-path-query-and-ref-on-hover and #omnibox-ui-sometimes-elide-to-registrable-domain, and relaunch Chrome to test it out. Chrome 86 isn’t expected as a stable release until October.