Chrome HTTPS Lock Icon Is Going Away
Google Chrome’s address bar will get an updated security icon, replacing the old lock icon, to denote a security-neutral entry point to site controls
Chrome announced that it will soon transition the Chrome browser away from the lock icon that signals a secure HTTPS connection and introduce a more neutral icon that they believe will present a better user experience.
The reason for doing so is based on research that shows the current lock icon is unintentionally misleading and a security risk.
Why HTTPS Lock Icon Is Going Away
The lock icon is an artifact from a time when secure connections were the exception and not the norm.
Users could count on the green lock icon to remind them that a connection was secure.
It used to be commonly understood that only financial and ecommerce sites required a secure connection and that sites that didn’t conduct transactions didn’t need to have secure connections.
But the old attitudes changed when Google and other companies began encouraging publishers to transition to secure connections in order to enhance user privacy and safety.
Google eventually went so far as to make the secure HTTPS connection a ranking factor, which motivated holdouts who still insisted that HTTPS was pointless for non-ecommerce sites.
Chrome’s announcement explained:
“HTTPS was originally so rare that at one point, Internet Explorer popped up an alert to users to notify them that the connection was secured by HTTPS, reminiscent of the “Everything’s Okay” alarm from The Simpsons. When HTTPS was rare, the lock icon drew attention to the additional protections provided by HTTPS.
Today, this is no longer true, and HTTPS is the norm, not the exception, and we’ve been evolving Chrome accordingly.”
Lock Icon is Misleading
It may sound counterintuitive but Google’s research revealed that the lock icon misleads users into a false sense of security.
The lock icon does not mean that a site is safe. It only means that the connection is via a secure protocol.
Users incorrectly assume that the lock icon means the site is safe and therefore automatically trust the site they’re visiting.
That’s a potentially harmful perception because phishing and malware sites commonly display the lock icon.
Google’s research shows that consumers continue to associate the lock icon with safety.
“We redesigned the lock icon in 2016 after our research showed that many users misunderstood what the icon conveyed.
Despite our best efforts, our research in 2021 showed that only 11% of study participants correctly understood the precise meaning of the lock icon.
This misunderstanding is not harmless — nearly all phishing sites use HTTPS, and therefore also display the lock icon.
Misunderstandings are so pervasive that many organizations, including the FBI, publish explicit guidance that the lock icon is not an indicator of website safety.”
Lock Icon De-emphasis
Chrome has been in a process of de-emphasizing the lock icon over the past five years, beginning in 2018 when they proposed changing the icon.
Previously there was a prominent word, Secure, written in green.
The proposal was to remove the word.
Here’s a screenshot from the Chrome blog post:
Removing the lock icon can be seen as a part of the natural evolution of the web and what users need.
New HTTPS Tune Icon
Google is updating the HTTPS icon in order to more accurately communicate the HTTPS status of a website as secure but without inadvertently implying safety.
The new icon is what is known as a tune icon.
Google Font shows these as examples of tune icons:
And this is the new icon that Chrome will feature:
Chrome’s statement explained the reasons for choosing a tune icon:
“We think the tune icon:
- Does not imply “trustworthy”
- Is more obviously clickable
- Is commonly associated with settings or other controls”
Chrome will continue to alert users when there’s an insecure connection.
The redesigned icon will premier in Chrome 117, currently scheduled to release in September 2023.
Chrome announced that the change is scheduled for both the desktop and Android versions of Chrome.
They will remove the icon entirely from the iOS version of Chrome because the icon cannot be tapped.