Chrome's Killing 'WWW' in Address Bar — And That's Bad

Senior editor, security and privacy
Updated

[UPDATED Sept. 19 with news that Google no longer hides "www" or "m" in Chrome 69, but will hide "www" again beginning with Chrome 70.]

[UPDATED with clarification that domain names can't ever be registered by two different entities. That was our misunderstanding. It should have been obvious, and we apologize. Thanks to the commenters and tweeters who pointed it out.]

The latest version of the Google Chrome browser strips out "www" and "m" from web addresses. Google considers those URL elements, or subdomains, "trivial," but this change will might make it easier for fraudsters, thieves and malware to fool you with fake websites.

Credit: Evan Lorne/ShutterstockCredit: Evan Lorne/Shutterstock

"This is a dumb change. No part of a domain should be considered 'trivial,'" wrote one commenter to the official Chromium developers' bug forum. "As an ISP, we often have to go to great lengths to teach users that 'www.domain.com' and 'domain.com' are two different domains, and that they may not necessarily go to the same destination."

A bad guy could put up a phony website at "yourbank.com" with an identical look and feel to the legitimate website "www.yourbank.com". If you're using Chrome 69 or later, you wouldn't be able to tell the difference. [Correction: The bad guy would have to break into the YourBank.com servers to do anything like this.]

To take an extreme example cited in the forum, "www.m.www.m.example.com" displays as "example.com" in Chrome 69. It shouldn't.

You can still temporarily view the full URL in Chrome by clicking your mouse pointer inside the address bar, as if you were going to edit the URL. You can make the full URL display all the time by going to chrome://flags/#omnibox-ui-hide-steady-state-url-scheme-and-subdomains and changing the default to "Disabled."

MORE: Best Antivirus Software and Apps

As you can guess, "www" stands for "World Wide Web" and was originally used to distinguish websites from other servers and services reachable via HTTP (Hypertext Transfer Protocol). "M" stands for mobile and sends users to mobile-optimized versions of websites — compare "www.facebook.com" and "m.facebook.com".

Neither element is necessary for a web address to work, but plenty of website operators use one or the other. A good website operator should make sure that "mydomain.com" and "www.mydomain.com" resolve to the same place, but that isn't always the case.

As one commenter on the Chromium bug forum pointed out, "www.citibank.com.sg" is a legitimate site, but "citibank.com.sg" goes nowhere. It could be snatched up by a criminal. (Commenters' names are partly obscured on the Chromium blog, which is why we're not trying to identify them here.) (Correction: Probably not, because citibank.com.sg is the root domain name, so to speak, and adding www to the beginning would just create a new subdomain.)

Chrome is not the first browser to hide "www." Apple's Safari browser has been doing this for some time, both on desktop and mobile, but few people have complained because Apple always does its own thing.

A Chromium developer responded to the complaints by stating that the subdomains "disappear in the steady-state display case because this isn't information that most users need to concern themselves with in most cases."

"I think this is an OK tradeoff even in the rare case when www.foo.com is not actually the same as foo.com," that Chromium developer added.

On the Hacker News forums, the suspicion was that Google's next step would be to remove the "amp" prefix from mobile-optimized news stories that are hosted on Google's own servers, such as https://amp.tomsguide.com/us/mac-adblock-data-swipe,news-28006.html.

The AMP, or Acclerated Mobile Pages, initiative is controversial because while it makes news stories load very quickly on smartphones, it generally gives traffic clicks to Google, not the news sites. (Links from within those stories do go to their original servers.)

"They are going to hide amp subdomain, so you don't know if you're looking at AMP or the actual destination," noted one commenter on Hacker News. "And then suddenly the whole world funnels through AMP."

However, at least part of the decision is already being reversed.

"The stripping of the 'm.' host/subdomain on desktop platforms was confusing and problematic, I agree," said one Chromium developer. "It was reported in bug 875669 and fixed for Chrome 70."

Chrome 70 is scheduled to become the default version in mid-October.

UPDATE: In a posting Sept. 11 to the official Chromium bug forum, Emily Schechter, product manager of Chrome security, announced that "we have decided to roll back these changes in M69 on Chrome for Desktop and Android."

But don't get too attached to seeing "www" back in your browser bar. It's disappearing again in Chrome 70.

"In M70, we plan to re-ship an adjusted version: we will elide 'www' but not 'm,'" Schechter added. "We are not going to elide 'm' in M70 because we found large sites that have a user-controlled 'm' subdomain."

In other words, users can add "m" to URLs to get a different version of a website.

"There is more community consensus that sites should not allow the 'www' subdomain to be user controlled," Schecher wrote.

Few of the dozens of replies to her announcement were supportive.

"What problem does this solve exactly?" wrote one commenter. "I haven't seen a good reason for any of this."