Chrome's HTTPS padlock heads to Google Graveyard
As blue check marks start showing up in Gmail
Logowatch Google plans to retire the padlock icon that appears in the Chrome status bar during a secure HTTPS web browsing session because the interface graphic has outlived its usefulness.
Later this year the lock icon will be replaced with the "tune" icon, which Google says "is commonly used to indicate controls and settings."
Today's Chrome lock icon currently oversees a broad portfolio of functions. It has become a dropdown menu that provides connection information, permissions for device microphone, code, and clipboard access, alongside aliases to Chrome's Cookies and site data menu and its Site settings menu.
But Google's planned replacement makes less sense. The standard tune icon could charitably be likened to the sliders on a sideways audio mixer. It appears to have something to do with adjusting settings. The simplified version Google has adopted is just baffling.
It looks like minimalist sex position guidance or a cryptic binary reference. Unlike the padlock, it has no obvious link to any real world object that hints at its function.
The lock icon dates back to Netscape Navigator 4.0, which was released in June 1997. Prior versions of the browser used a key icon to signify a secure connection. During those early years of the web, insecure connections were common and secure sessions were unusual.
"When HTTPS was rare, the lock icon drew attention to the additional protections provided by HTTPS," explained David Adrian, Serena Chen, Joe DeBlasio, Emily Stark, and Emanuel von Zezschwitz, from the Chrome Security Team in a blog post. "Today, this is no longer true, and HTTPS is the norm, not the exception, and we've been evolving Chrome accordingly."
- Google once again stalls Chrome content-blocker shakeup
- 'Major' news: Microsoft slips Bing chatbot shortcut into Windows 11
- Google kills forthcoming JPEG XL image format in Chromium
- If you can find and fix this subtle Chromium bug that breaks some extensions, there's $8k waiting for you
Communicating browser security to non-technical users has been an ongoing project at Google. The Chocolate Factory, in conjunction with others like Mozilla, began refining how browsers presented their security state back in 2015 and later embarked on a plan to mark HTTP as "non-secure" rather than treating a secure HTTPS connection as something noteworthy.
Despite various interface changes in recent years to clarify that a secure, encrypted connection does not guarantee the trustworthiness of a website, only 11 percent of web users surveyed by Google in 2021 understood the limited meaning of the lock icon.
"This misunderstanding is not harmless — nearly all phishing sites use HTTPS, and therefore also display the lock icon," Google's Chrome Security Team notes.
Nearly all phishing sites use HTTPS, and therefore also display the lock icon
To further justify interface meddling, Google's security gurus point to a separate study from 2007, just 16 years ago, that found users ignore HTTPS indicators of web security.
So following the presumably successful experimental removal of the icon in Chrome 93 two years ago, the lock icon is finally on its way out and into the famous Google Graveyard alongside Stadia and friends. Chrome will continue to warn users when the connection is not secure, just without the lock imagery.
Google's goal is to provide a neutral signifier so people don't misinterpret the lock to mean that a page should be trusted and to emphasize that security should be the default state for Chrome. Which is a fair point. As to what the tune icon signifies, that's open to interpretation.
The tweaked tune icon is slated to debut in Chrome 117, due in early September 2023. It's available now to Chrome Canary users behind a flag,
chrome://flags#chrome-refresh-2023, for those that want it. ®
Speaking of Google... Gmail is getting blue check marks in emails to indicate the web giant has verified the sender of the message is who they say they are. This is aimed at verifying organizations and brands, so that people getting the mails know for sure they are hearing from the real deal and not an impersonator.
It builds upon Google's Brand Indicators for Message Identification (BIMI) system launched in 2021. See here to set up BIMI for your brand. Roll out of this blue check feature begins today.