Google announced today that the lock icon, long thought to be a sign of website security and trustworthiness, will soon be changed with a new icon that doesn’t imply that a site is secure or should be trusted.
While first introduced to show that a website was using HTTPS encryption to encrypt connections, the lock symbol is no longer needed given that more than 99% of all web pages are now loaded in Google Chrome over HTTPS.
These also include websites used as landing pages in phishing attacks or other malicious purposes, designed to take advantage of the lock icon to trick the targets into thinking they're safe from attacks.
"This misunderstanding is not harmless — nearly all phishing sites use HTTPS, and therefore also display the lock icon," Google said.
"Misunderstandings are so pervasive that many organizations, including the FBI, publish explicit guidance that the lock icon is not an indicator of website safety."
The lock icon will be changed in Chrome 117 with a "variant of the tune icon," a user interface element commonly linked to app settings and designed to show that it's a clickable item.
However, it will not be removed entirely as Google will continue to show the lock in the 'tune' submenu when website connections are secure, as shown in the screenshot above.
This move was first announced almost two years ago, in August 2021, when the company revealed that secure website indicators are no longer needed and would be removed from Google Chrome's address bar since over 90% of connections are made over HTTPS.
"When HTTPS was rare, the lock icon drew attention to the additional protections provided by HTTPS. Today, this is no longer true, and HTTPS is the norm, not the exception, and we've been evolving Chrome accordingly," Google said.
"The new icon is scheduled to launch in Chrome 117, which releases in early September 2023, as part of a general design refresh for desktop platforms."
The lock icon will also be replaced in Google Chrome for Android in September, but it will be removed from iOS given that it cannot be tapped and it's only displayed to convey additional information about the loaded website.
It's worth noting that Google Chrome will continue to alert users of insecure plaintext HTTP connections on all platforms.
How to test the new Chrome tune icon
Those who want to test the lock icon replacement can enable it in Chrome Canary using the following instructions.
- Enter chrome://flags in the address bar and hit ENTER.
- Search for 'chrome-refresh-2023'
- When the 'Chrome Refresh 2023' flag is shown, click 'Default' and select 'Enabled.'
- Relaunch the browser when prompted to get the refreshed Chrome Desktop user interface.
As Google warned today, this feature is still under active development, does not reflect the final product, and bugs are expected.
Comments
fromFirefoxToVivaldi - 1 year ago
That's a step in the right direction, after the poor decision to remove extended validity certificates, many people consider the lock itself to be a proof of identity.
At this point they should block non-local sites without https altogether. There are still some online stores or medical institutions without basic encryption and this would finally push them to implement it.
h_b_s - 11 months ago
No, it won't. You don't "force" a government to do anything without threat of removal. No one is going to vote out a government, or revolt, because a government services portal still only works with IE6. People have other things on their minds, like where their next meal is coming from.
chisa - 11 months ago
Not sure if that SSL percentage can be trusted
https://medium.com/binary-passion/in-padlocks-we-trust-e5b2e575b06e
Wannabetech1 - 11 months ago
I liked when I could click the icon and could read what encryption the site was using.
ZeroYourHero - 11 months ago
Here's a question that I can't seem get an honest answer to: If a website only has public information then why should they waste CPU time and power to encrypt their data? HTTP: shouldn't be an obsolete protocol.