Chrome Browser Removes Secure Symbols in New Release
Google has sparked debate in the security community by removing visual indicators of secure websites, preferring instead to mark the non-secure ones
Previously, a secure website would trigger a padlock in Chrome, the word ‘secure’ in the URL bar, and the protocol ‘https://’ at the beginning of the URL. In the newest version of Chrome, 69, only the padlock icon appears. In a future version, Google plans to remove the padlock icon altogether for secure sites.
In Chrome 69, Google has also changed the colour of the padlock from green to grey.
For non-secure websites, Chrome will still display a warning symbol and the words ‘Not Secure’. The words are still presented in grey, but Google says it’ll soon make them red.
Why is Google Turning Security on its Head?
Google is keen to get as many websites as possible using HTTPS rather than non-secure HTTP, and it’s used several tactics to achieve this.
For the last few years, there’s been a marginal SEO advantage for webmasters when a site is secure. Equally, it’s included the the words ‘Not Secure’ in Chrome to make it more obvious when HTTPS is not present.
Google’s drive to make the web secure ‘by default’ is admirable in most cases. Secure websites offer a degree of protection against tracking and snooping, but the main aim is to ensure that your activity on those sites is not visible to anyone else.
However, changing the way the browser notifies users has attracted criticism security professionals and user interface designers. The most obvious problem with removing the padlock icon from Chrome is that users may be confused about what to look for when they visit a website and need to know if it’s secure.
Is Googling Muddling Things for Users?
Now that businesses have access to relatively simple and inexpensive security certificates (from providers like Let’s Encrypt), enabling HTTPS on every site could be considered a no-brainer. But the simplicity of obtaining a SSL certificate means that even malicious sites now appear secure by obtaining a free SSL certificate with the bare minimum security checks.
Google’s also doing away with ‘www’ in URLs. Even if they’re there, it won’t display them. That could make it more difficult to remember, and type, the ‘real’ URL of a website, further confusing the issue.
On a broader point, secure websites don’t work well for everyone. This blog post explains why HTTPS can make the web much slower in the developing world; it makes websites ‘uncacheable’ in areas where bandwidth is limited and expensive. Secure sites can also cause problems on old devices and ageing smartphones.
Many of us have been drilled to look for a padlock in the URL bar, and the removal of that padlock is inevitably going to cause alarm for users that find it more difficult to adapt. While Google rolls out these changes, it’s important to be vigilant when visiting sites that you don’t entirely trust.