[MacTUG] Safari in Yosemite method of displaying URL's provides some security benefit

Tue Nov 11 09:19:04 EST 2014

Apparently the new approach of Safari in Yosemite of showing only the server’s address in the URL display provides some additional security benefits.

The following is from http://www.macworld.com/article/2844939/three-key-things-to-know-about-yosemite-and-security.html#tk.rss_all

Yes, you can change Safari's new URL display in Yosemite—but here’s why you might not want to

You may have noticed a change in the way Safari displays web addresses in Yosemite. If you don’t like it, you’re certainly not alone—our own Kirk McElhearn<http://www.macworld.com/article/2837075/how-to-fix-the-four-most-annoying-quirks-of-yosemite.html?%23tk.out_mod?=obinsite>dubbed it one of Yosemite’s most annoying quirks. You may even be considering changing it back to the old behavior. It’s certainly easy enough to do (and I’ll even tell you how shortly), but before you jump on the give-me-back-my-full-web-address bandwagon, allow me to suggest that you leave things just the way they are.

Prior to Yosemite, Safari (and most other web browsers) displayed a web page’s full URL—or at least as much of it as would fit in the address field. Beginning with iOS 7 (and continuing with Yosemite), Apple showed only the domain of the web page. In other words, if you visited www.apple.com/mac<http://www.apple.com/mac> or apple.com/iphone<http://apple.com/iphone>, both would appear simply as apple.com<http://apple.com> in Safari’s address field.

It’s easy to assume that Apple altered the URL display solely because it liked the cleaner look. But the change also carries a security benefit, and aesthetics aside, that’s why you might want to leave things just as Apple intended.

Say what you will about hackers, phishers, and other seedy denizens of the Internet, they can be a clever bunch. For one thing, they figured out that people were used to incredibly long, server-generated URLs, and stopped paying much attention to what appeared in the address field. They took advantage of this by creating intentionally long and convoluted addresses that spill out the back of the visible address field so that you can’t see the real domain appended at the end. That .com you see early in the address may have another dot to the right, rather than a forward slash, which means that first whatever.com<http://whatever.com> is bogus.

Apple’s new display method cuts through all the clutter and shows us the real domain—front and center and stripped of all misdirection.

It’s also worth noting that when you’re on a legitimate, secure site, even the padlock indicator shares center stage with the domain name, arguably making it even more noticeable than in previous iterations.

So, before you revert back to that pre-Yosemite display, consider that it might be doing you a favor. And bear in mind that if you want to see the full URL in Yosemite, simply click in the address field and you’ll see your web page’s full URL in all its geeky, near-infinitely-long glory.

If you’re still not convinced, open Safari’s preferences, select Advanced, and enable the Show full website address option near the top of the window.

Glenn Anderson
IST
University of Waterloo
518-888-4567 x33327

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uwaterloo.ca/pipermail/mactug/attachments/20141111/89fc47a6/attachment.html>