• ricecake@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    16
    ·
    19 hours ago

    Chromes decision actually makes a lot of sense, from a security perspective. When we model how people read URLs, they tend to be “lazy” and accept two URLs as equal if they’re similar enough. Removing or taking focus away from less critical parts makes users focus more on the part that matters and helps reduce phishing. It’s easier to miss problems with https://www.bankotamerica.com/login_new/existing/login_portal.asp?etc=etc&etc=etc than it is with bankotamerica, with the com in a subdued grey and the path and subdomain hidden until you click in the address bar.
    It’s the same reason why they ended up moving away from the lock icon. Certs are easy to get now, and every piece that matches makes it more likely for a user to skip a warning sign.