What is the padlock icon in Chrome?
For years now, the padlock icon has been the way that Google Chrome has communicated that a website is using secure HTTPS encryption. So, when users visited a website using the Chrome browser, they may or may not have noticed that small lock icon in the address bar. Either way, their impressions of that icon may have indicated a level of security and, for better or worse, safety.
In use since the early versions of Netscape in the 1990s, the lock icon was originally intended as a visual cue that indicated the connection between the user's browser and the website was secure and could be intercepted or monitored by outside parties. To be more specific, the lock icon was the way that users knew that a website was using HTTPS encryption to protect browser communications from being read or modified in transit over the Internet.
What does the padlock symbol on some websites mean?
The Chrome lock icon indicated that a web server was providing visiting browsers with a public key that was used to establish an encrypted connection for all subsequent data exchanges. However, receiving a working public key does not guarantee that the associated server is indeed owned by the legitimate subject, person, company or organization.
To prevent this type of manipulation, browsers would authenticate HTTPS servers using TLS/SSL certificates, which are digital documents that bind a public key to an individual website. To establish trust in this process, a trusted Certification Authority (CA) would verify the identity of the certificate owner, via automated and manual checks against qualified databases.
However, it’s important that we do not confuse security with safety in terms of the Chrome lock icon. Indeed, over the years, many users began to interpret this “secure” indicator as a sign that websites were safe to visit. But that was simply not always the case. It just meant that these websites were using encryption—not that they were safe to visit. In fact, very quickly, cybercriminals found ways to misuse TLS certificates to validate phishing sites and other nefarious websites to indicate that https was being used (or that they were secure) but the content on those sites was anything but “safe” to visit.
What’s happening with the Chrome Lock Icon?
Google announced recently that it is preparing to discontinue the Chrome browser's padlock icon and replace it with a new symbol in the address bar. The lock will be replaced this fall with a "neutral indicator." The new indicator, which is a variant of the “tune” icon is designed to urge users to verify a website's security information. Users will begin to see the new icon with the launch of Chrome 117 in September of 2023.
To replace it, the team behind Chrome is working on a version of tune icon that encourages people to click and check for vital privacy and security information. Google says the user-friendly image is better because it does not indicate "trustworthy" and because it is "more obviously clickable" and "commonly associated with settings or other controls."
Chrome’s current lock icon on desktop and Android will be replaced in early September 2023. Meanwhile, Google will be pulling it entirely from Chrome on iOS, as the lock icon wasn’t tappable on that platform.
Why is Google making this change?
As a recent post in the Chromium Blog points out, “For the last decade, Chrome participated in a major initiative to increase HTTPS adoption on the web, and to help make the web secure by default. As late as 2013, only 14% of the Alexa Top 1M sites supported HTTPS. Today, however, HTTPS has become the norm and over 95% of page loads in Chrome on Windows are over a secure channel using HTTPS. This is great news for the ecosystem; it also creates an opportunity to re-evaluate how we signal security protections in the browser. In particular, the lock icon.”
The lock icon is a remnant of an era where HTTPS was uncommon. When HTTPS was rare, the lock icon drew attention to the additional protections provided by HTTPS. As the Google points out, “Today, this is no longer true, and HTTPS is the norm, not the exception, and we've been evolving Chrome accordingly.”
Back in the 2010s, the clickable symbol provided information on a website's permission settings, cookies and whether the site had a secure connection. But now HTTPS is commonplace, even for malicious sites, so users shouldn't misread the icon as indicating that a site is actually trustworthy.
What the new Chrome tune icon means for you
Change is difficult for most people to embrace. And because the padlock icon has been a distinct feature for the last 30 years, the new icon will take time to get used to. However, it’s important that we all address critical issues aimed at increasing web security and simplifying the user experience.
The new tune icon is set to be more recognizable and visually distinct, making users feel more secure as they browse the web. While the icon will take getting used to, it should represent a step towards a more secure and user-friendly web.