Looks like there are some unexpected knock-on effects from changes to how Chrome 69 handles URLs: bugs.chromium.org/p/chromium/i

Aside from opening up impersonation attacks that didn’t exist before, it’s buggy too! www.example.www.example.com/ is displayed as example.example.com, which is… not accurate.

Show thread

Another interesting, clearly wrong behaviour: the “m.” prefix is stripped along with “www.” There’s a weaker consensus that “m.example.com” is the same thing as “example.com”, and obtaining that subdomain on a given site is much easier.

For example, m.tumblr.com is a user’s blog. It’s NOT the mobile version of tumblr.com. But Chrome displays “m.tumblr.com” as “tumblr.com”, which could allow that blog’s owner to impersonate the main site.

OK, I think I know why this is now. Jessica pointed out that the main m. domain she goes to is Wikipedia, which is en.m.wikipedia.org . Chrome probably intended to strip m. in that case, and overzealously transforms the domain.

Personally, to me, this indicates why this is a problem!! If you’re starting to strip out domains in the middle of a chain you’re setting the stage for Bad Things to happen.


Show thread

@noelle @oolongstains Although, I've seen a reasonable argument that these might just be seperate-but-related initiatives?, and this is just REALLY bad timing?
Which still means "I don't trust Google", but like this might not have been THAT team specifically's fault.

@oolongstains Yeah this strikes me as an all around Bad Idea. I can appreciate the good intentions behind it but at the end of the daya web browser disguising some URLs as other URLs is always going to end poorly.

Just yesterday I tried to send someone a link from the Best Buy site I saw on my phone. I stripped out the "m." and it 404'd. I put it back and it gave me the full desktop site.

The internet isn't as predictable as we'd like to think.

@oolongstains somebody on lobsters pointed out that the owner of www.com could then impersonate any dotcom, which is brutal

Sign in to participate in the conversation

Cybrespace is an instance of Mastodon, a social network based on open web protocols and free, open-source software. It is decentralized like e-mail.