Since the 1990s’ first releases of Netscape, browsers have shown a lock icon when a site loads via HTTPS. Chrome has taken part in a significant effort over the last ten years to promote HTTPS usage on the web and make it secure by default. Just 14% of the top 1 million sites, according to Alexa in 2013, supported HTTPS. But, in today’s world, HTTPS is the standard, and in Chrome on Windows, over 95% of page loads are done so through a secure connection utilizing HTTPS. The ecosystem will greatly benefit from this, and it also provides a chance to reconsider how security safeguards were announced in the browser in 2013. I really like the lock symbol.
While it’s a legacy from when HTTPS was less prevalent, the lock icon is supposed to show that the network connection between the browser and the site is a secure channel and cannot be altered or eavesdropped on by other parties. Internet Explorer formerly displayed a warning to users informing them that the connection was protected via HTTPS, evoking the “Everything’s Alright” alarm from The Simpsons. HTTPS was once so uncommon. When HTTPS was used, the lock symbol highlighted the increased security that HTTPS offered. This is no longer the case; HTTPS is the standard rather than the exception, and Chrome has been updated in line with this.
For instance, we are aware that the lock icon does not signify the reliability of a website. In 2016, we updated the lock icon since our study revealed that many users didn’t understand what the icon meant. Our research in 2021 revealed that, despite our best efforts, only 11% of survey participants accurately recognized the exact meaning of the lock symbol. Due to the fact that almost all phishing websites use HTTPS and show the lock icon, this mistake is not harmless. Several agencies, including the FBI, issue specific warnings that the lock image is not a sign of a secure website since misconceptions about it are so common.
Now, Chrome’s lock icon serves as a useful gateway to site controls. We disclosed in 2021 that we were testing a more security-neutral access point to site controls in place of Chrome’s lock icon. In the URL bar, we kept marking HTTP as unsafe. Users in the trial spent more time exploring the site’s controls, and they showed no signs of disorientation that may occur after significant UI changes.
- does not entail being “reliable”
- more visible clickability
- frequently linked to settings or other controls
The lock icon should be replaced with a neutral signal to avoid any confusion about whether a website is trustworthy. This also underlines the point that security should be Chrome’s default setting. Moreover, our study revealed that many users were unaware that the lock icon displayed crucial information and functions. We believe the new symbol avoids the confusion that the lock icon causes while making permission controls and related security information more easily available.
The new icon will debut as part of a broad redesign for desktop platforms in Chrome 117, which debuts in early September 2023. When a user’s connection is not secure, Chrome will continue to warn them. If you activate Chrome Refresh 2023 at chrome:/flags#chrome-refresh-2023, you may see the new song icon in Chrome Canary. However, bear in mind that this flag allows work that is still actively in progress and under development and does not represent a finished product.
For Android, we will replace the lock icon at the same time as the larger desktop update. We will do away with the lock icon completely since it cannot be touched on iOS. We will keep marking unencrypted HTTP as unsafe across all platforms.
As HTTPS has become the norm, replacing the lock icon has long been a goal for both Chrome and the broader security community. We’re excited that HTTPS adoption has grown so much over the years, and that we’re finally able to safely take this step, and continue to move towards a web that is secure by default. Chrome and the larger security community have long sought to replace the lock symbol as HTTPS has become the standard. thrilled that HTTPS use has increased so much over the years, that we can now proceed securely with this transition, and that we can continue to advance toward a web that is secure by default.
How the lock icon is being replaced by Google
Google will substitute a version of the song icon, which is often used to represent control menus, for the lock icon in order to prevent misunderstanding. Users will not be misled by the new icon, which will also entice them to click through and get additional details about their security and connection settings.
