undefined | Better HN

0 pointsdwheeler5y ago0 comments

It is not just inconvenient, hiding or modifying URLs is a lie and is a security problem. Hiding part of the URL means that you don't really see what's going on, and that is the first step towards a security problem, not away from it.

0 comments

4 comments · 2 top-level

UncleMeat5y ago· 2 in thread

All of the TLS handshake configurations are hidden from your UI. It is hard to see "what's going on". You aren't shown a cert signature each time you request a page. Yet the lock icon doesn't get hate.

The non-domain information in a URL is useless for making security decisions for virtually 100% of users. If anything, it has negative utility since you can make URLs nearly arbitrarily confusing as part of a phishing attack.

saagarjha5y ago

I don’t understand, the lock icon gives you exactly the information you could want from that though? It tells you immediately if the site you are on is HTTPS, you don’t have to hover or anything. And if you want even more details (which is not something anyone does while they browse the internet, FWIW) you can also get that information too. This change hides the information that people actually expect that UI to have–that’s why there’s an option to in-hide it!

UncleMeat5y ago

What if I want more information? I want to know what TLS version both parties negotiated. I want to know who signed the cert and when it expires. Etc. etc.

The point is that "the UI should express everything a power user could ever want to know about some security-adjacent property" is not the status-quo and people should not act like it is. Dropping to just domains is like shifting from a big blob of text including a ton of request information to just the lock icon. It distills it to something that covers basically all the information you'd ever actually need and is comprehensible to typical users.

1 more reply

athenot5y ago

I agree. But I'm afraid Google's solution is going to be along the lines of showing a green mark for anything served from their own servers, with the subtle implication that anything else is less trustworthy.

j / k navigate · click thread line to collapse