Google will retire Chrome’s HTTPS padlock icon because no one knows what it means

  News
image_pdfimage_print
Illustration of a padlock over a computer-chip circuit board.

One of the biggest advances in web security over the last decade or so is the proliferation of secure, encrypted HTTPS connections. Once the purview of shopping and banking sites, HTTPS connections have become the norm rather than the exception, keeping more of your credentials and data safe from being intercepted even when you’re on public or insecure networks.

Browsers going all the way back to Internet Explorer have used a small padlock icon to denote that a connection is using HTTPS. But according to the team behind the Chromium browser engine, most people still don’t know what that padlock icon actually means. Because of that confusion and because HTTPS is now expected for most sites, Chromium will retire the padlock icon starting in Chrome 117, slated for release in September alongside a larger refresh of the Chrome interface.

“Replacing the lock icon with a neutral indicator prevents the misunderstanding that the lock icon is associated with the trustworthiness of a page, and emphasizes that security should be the default state in Chrome,” reads a Chromium blog post from the Chrome security team.

The "Tune" icon will take the place of the padlock icon, giving access to various settings and status messages.
The “Tune” icon will take the place of the padlock icon, giving access to various settings and status messages.

In the desktop versions of Chrome, the padlock icon will be replaced by a “tune” icon—a couple of circles and a couple of lines meant to represent the toggle switches you encounter in many Settings screens. Clicking the Tune icon will still give you extra information about the site’s HTTPS certificate, plus a few other site-specific settings like those for notifications and location sharing. These are all things you can access by clicking the padlock icon in current versions of Chrome—so the lock icon will change, but the menu’s functionality will stay the same.

“Our research has also shown that many users never understood that clicking the lock icon showed important information and controls,” the blog post continues. “We think the new icon helps make permission controls and additional security information more accessible, while avoiding the misunderstandings that plague the lock icon.”

The Chromium team says that Chrome will continue to alert users in the address bar when a site isn’t using HTTPS. Chrome for Android will also get the new Tune icon, while Chrome for iOS and iPadOS will simply eliminate the current non-clickable padlock icon.

This change is especially important because of the Chromium engine’s current dominance; Chrome accounts for about two-thirds of all Internet usage, and including Chromium-based browsers like Microsoft Edge and Opera brings the total closer to 80 percent. For better or worse, Google’s changes tend to become the default for other browsers. We’d expect most Chromium-based browsers, plus alternatives like Safari and Firefox, to make similar changes in the near future.

https://arstechnica.com/?p=1936328