Google Chrome will lose the “lock” icon for HTTPS-secured sites

In September 2023, Google Chrome will stop showing the lock icon when a site loads over HTTPS, partly due to the now ubiquitous use of the protocol.

The misunderstood Lock icon

It took many years, but the unceasing push by Google, other browser makers and Let’s Encrypt to make HTTPS the norm for accessing resources on the Web resulted in an unmitigated success; according to Google, over 95% of page loads in Chrome on Windows are now over an encrypted, secure channel using HTTPS.

The time has come to “re-evaluate how we signal security protections in the browser,” the Chrome Security team says.

So, starting with Chrome 117, the “lock” will be replaced with a new “tune” icon, which does not carry the ‘trustworthy’ implication the former conveys for many users.

“We redesigned the lock icon in 2016 after our research showed that many users misunderstood what the icon conveyed. Despite our best efforts, our research in 2021 showed that only 11% of study participants correctly understood the precise meaning of the lock icon,” the team explained.

“This misunderstanding is not harmless — nearly all phishing sites use HTTPS, and therefore also display the lock icon. Misunderstandings are so pervasive that many organizations, including the FBI, publish explicit guidance that the lock icon is not an indicator of website safety.”

A new look

Google has been planning and working towards this final stage for years. The goal was to eventually switch from showing positive to showing only negative security indicators.

The new “tune” icon is more clickable, they feel, and it will open website controls that will now include the lock icon as the entry point for information about connection security.

Google Chrome HTTPS

The new icon opens site controls

The icon change will also be introduced in Chrome for Android at the same time.

“On iOS, the lock icon is not tappable, so we will be removing it entirely. On all platforms, we will continue to mark plaintext HTTP as insecure,” the team concluded.

Don't miss