Google announced today that the padlock icon, long thought to be a sign of a website’s security and reliability, will soon be replaced with a new code that doesn’t mean the site is secure or should be trusted.
While it was first introduced to show that a website uses HTTPS encryption to encrypt communications, the padlock symbol is no longer required since over 99% of all web pages are now loaded in Google Chrome over HTTPS.
These also include websites used as landing pages in phishing attacks or other malicious purposes, designed to take advantage of a padlock code to trick targets into thinking they are safe from attacks.
“This misunderstanding is not malicious – almost all phishing sites use HTTPS, and therefore also display the lock icon,” Google said.
“Misunderstandings are so pervasive that many organizations, including the FBI, publish clear guidelines that the padlock symbol is not an indicator of website security.”
The lock icon in Chrome 117 will be changed with the “melody icon variant,” a widget commonly associated with app settings and designed to show that it’s a clickable element.
However, it won’t be completely removed as Google will continue to show the padlock in the “tune” submenu when website connections are secure, as shown in the screenshot above.
The move was first announced nearly two years ago, in August 2021, when the company revealed that indicators for secure websites were no longer necessary and would be removed from Google Chrome’s address bar since more than 90% of connections are made over HTTPS.
“When HTTPS was rare, the padlock icon drew attention to the additional protections HTTPS provides. This is no longer true today, HTTPS is the rule rather than the exception, and we’ve developed Chrome accordingly,” Google said.
The new icon is scheduled for release in Chrome 117, which releases in early September 2023, as part of a general design update for desktop systems.
The lock icon in Google Chrome for Android will also be replaced in September, but it will be removed from iOS since it cannot be clicked and is only displayed to convey additional information about the loaded website.
It should be noted that Google Chrome will continue to alert users of insecure HTTP connections on all platforms.
How to test the new Chrome configuration code
Those who want to test padlock replacement can enable it in Chrome Canary using the following instructions.
- Enters chrome://flags in the address bar and press Enters.
- Search ‘Chromium update 2023“
- when ‘Chrome 2023 updateFlag is displayed, clickshortening“and select”maybe“.
- Restart the browser when prompted to get the updated Chrome Desktop user interface.
As Google warned today, this feature is still in active development, doesn’t reflect the final product, and bugs are to be expected.