27 September 2023

Sign of the times: Are URLs on the way out?

Start the conversation

Ariel Bogle* says a URL helps navigate between websites, but there is a growing group who thinks the URL is increasingly complicated and too easily compromised.


Asked about his regrets in 2009, internet pioneer Tim Berners-Lee told The New York Times he would get rid of the double slash “//” after the “http:” in web addresses.

Almost one decade later, he is not the only one having second thoughts about the Uniform Resource Locator, better known as the URL.

This familiar band of characters in your web browser helps you navigate between websites without having to worry about the complex requests occurring beneath the surface.

But there is a growing group who thinks the URL is increasingly complicated and too easily compromised.

Engineering Manager of Google’s Chrome browser, Adrienne Porter Felt recently sparked a Twitter firestorm when she told Wired the company was giving the display of the URL a significant rethink.

“They’re hard to read, it’s hard to know which part of them is supposed to be trusted, and in general I don’t think URLs are working as a good way to convey site identity,” she said.

Parisa Tabriz, Director of Engineering at Chrome, told Wired will be controversial.

“But it’s important we do something, because everyone is unsatisfied by URLs,” she said.

“They kind of suck.”

Twitter critics saw the move as an attempt by the technology giant to further control the internet, but the debate raises some important questions.

Do you need to show all the URL or just a bit of it?

Do you need to show it at all?

What’s wrong with the URL?

To understand the URL’s shortcomings, you need to know what it means.

You can break it down into three parts:

http://:

This is the scheme. Typically, you’ll see either http:// or https:// in a URL.

Standing for Hypertext Transfer Protocol, HTTP provides the underlying architecture of the internet by facilitating communication between servers and clients like websites.

Hypertext Transfer Protocol Secure (HTTPS) is the secure, encrypted version of HTTP.

www.abc.net.au:

This is the host. It tells you the identity of the website you’ve navigated to.

news/science:

This path tells you the content and site location of the page you’re on.

A key argument for showing internet users the whole URL is that, if they take the time to look, it can keep them from ending up in the wrong place.

If you’re looking for the Australian Broadcasting Corporation website, for example, the lack of “.au” is one clue that https://www.abc.com is the wrong place.

It can also help ensure you avoid dodgy pages that impersonate popular websites, but this is where problems arise.

For one, URLs can be increasingly long and messy, with plenty of room for misdirection.

Just look at this version of the URL for ABC Science’s Facebook page: “https://www.facebook.com/ABCScience/?fb_dtsg_ag=Adwhjwq-AJ-WrFo4kSBG7xzgGyKfQqtaUTTr-bmmxYFwew%3AAdxrLRK5gUwk21yjVMMxnemsAmrYbexNEY6Hq0K9dCEdZQ”

Or consider a very simple scam: someone could try to combine an “r” and an “n” so it looks like a “m” — sending you somewhere other than Medium.com, for example.

Security expert Troy Hunt, who runs the site Why No HTTPS? among other projects, said people who are technology savvy can lose sight of the very real problems with the URL.

We’re relying on people to look at a URL to judge the safety of a site, he explained, but is that a fair expectation?

It used to be that you could see a padlock and HTTPS in the top left corner of your browser and feel confident the site was a good one.

According to Mr Hunt, that famous padlock doesn’t mean as much when an increasing number of sites — good and bad — are encrypted.

“Encryption is morally neutral,” he said.

“We’ve got all these nasty sites that are using encryption who create a veneer of authenticity, yet obviously are not legitimate.”

Ian Muir, Managing Director of IDM Design Labs, said many non-technical internet users would see the URL as “hieroglyphics” rather than easily readable.

“Why do you a need a colon?” he asked.

“Why does it have two backslashes?”

What could change about the URL?

Mr Hunt said the premise of Google’s argument — that there may be a better way of representing who is who online and who is safe — is a good one.

Browsers like Chrome and Firefox have already made changes to the way a URL is displayed.

For a while now, they have shown the aforementioned lock in the URL bar when the website is secure.

Asked about its response to Google’s URL project, Mozilla spokesperson Justin O’Kelly said URLs are hard for users to understand and that they open phishing vectors.

“We are happy to participate in discussions with other browser vendors on how we can improve the user experience for all web users,” he said.

“We have no immediate plans to make changes in this area in Firefox.”

As part of upcoming Chrome updates, Google also flagged plans to drop the word “Secure” and instead display “Not secure” in red when you visit a HTTP site.

(It’s also started hiding the WWW., which upset some people.)

And that seems to be a trend: increasingly, browsers will tell you when something’s wrong, rather than when it is right.

To keep humans paying attention, that may be a good idea.

Ben Ennis Butler, a University of Canberra lecturer who researches digital interfaces, said design cues like that padlock are vital.

“It’s one of those things that just merges into your whole browsing experience, so maybe when you say it’s not secure and it’s red, that will stand out,” he said.

In any case, many people rarely see a URL — especially as they navigate the internet over smartphone or tablet apps.

The need for a visible URL may also be reduced if search is powerful, Dr Ennis Butler suggested.

“It’s a very interesting design question,” he said.

“Does it have a purpose?”

“If … the search engine is effective, or maybe you’re getting information through Twitter, Facebook or wherever, then maybe you don’t need it.”

Mr Muir suggested that for a radical new URL display to work, it would still need to fit three criteria: be secure, able to convey that security in a meaningful way to humans, and to build its reputation as a reliable symbol.

“I think it’s a good thing to be constantly thinking about it: what are the ways around this?”

“What are the scams and tricks?”

* Ariel Bogle is the online technology reporter in the ABC RN science unit. She tweets at @arielbogle.

This article first appeared at www.abc.net.au.

Start the conversation

Be among the first to get all the Public Sector and Defence news and views that matter.

Subscribe now and receive the latest news, delivered free to your inbox.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.