Saturday, 31 May 2014

Chrome origin chip


A lot of posts have been made about Chrome adding in what they're calling the "origin chip," which hides the whole URL from the user except the top level domain (TLD) which is the first time I know of that a desktop browser has done this. You can get the whole URL back by clicking the origin chip.

This was first introduced in Chrome Canary (v36 I think?) but is now in the main version too, it's not enabled by default though in either version so you'll have to go enable it yourself if you want to try it out, see the bottom of this post for instructions on how to do that.

Why the change

There are two big reasons I can think of to do this, to help prevent phishing attacks & help drive search traffic for them.

How will it stop phishing attacks?

Really good phishing attacks can be very convincing, they pick URLs which very closely match the real URL and with a quick glance the user cannot tell you're actually at a different domain Jake Archibald has a good example of this with the Halifax website, a British bank. With this new origin chip it would be really easy to spot that you're not on your banks real website once users knew what the origin chip was and represented.

Although I'm a bit sceptical that this will actually make phishing attacks any less likely for quite some time as I'm not sure that most users will actually understand what the origin chip is or how to spot a genuine or phishing URL, even though it would be easy to spot not everyone will know what to look for in the change.

How does it drive traffic to Google?

Well as the URL will no longer be displayed and now it just says "Search Google or type URL" all the time it may well encourage more searches, I cannot say that will actually be the case but I'm fairly certain Google would have made this change primarily to try & drive search traffic as that's their core business.

Is this a good thing?

I really have no idea, from what people are saying on the Internet it sounds good as it'll hopefully help prevent phishing attacks in the future (with the caveat I mentioned above) and that the URL isn't really needed to be displayed anyway. On the other hand I can't see any good reason to get rid of the URL other that the phishing reason but even then I'm not sure how helpful it is.

I hope Google do some user testing on this before pressing a head with it and putting it out to the masses or that someone else does as I'd be interested to read the research.

A bit of history

For those who don't know Google seem to have been playing around with the URL for quite some time, turning the URL box into an omnibox for both URL entry & search, before this browsers had a separate box for each then greying everything out after the TLD to make it more prominent and at one stage there was an option to hide the URL bar all together and just have it as a popup, I think why you hovered over a tab to make it appear? I can''t remember exactly and can't spot the option any more but that one didn't ever make it to being enabled by default on the main version.

How to enable this

Open up Google Chrome and go to chrome://flags/#origin-chip-in-omnibox for the option.

Further reading