Google to Replace the Padlock Icon in Chrome Version 117

Billions of people around the world associate a padlock icon with a secure, trusted website. But that’s about to change — Google Chrome has announced they will be discontinuing the padlock icon starting around September 2023.

This change isn’t because Google no longer thinks HTTPS is important, though — in fact, it’s the opposite. Google expects every website to have HTTPS by default.

Why is Google removing this well-known security lock symbol? And what does this padlock icon change mean for your organization, website security, and the cyber security industry as a whole?

Let’s hash it out.

As the world’s most popular web browser, Google Chrome is “mov[ing] towards a web that is secure-by-default.”

This means that HTTPS (i.e., the hypertext transfer protocol secure) should be considered the default security baseline for all websites. Historically, the padlock icon represented this concept in web browsers. The problem? The icon has consistently been misconstrued by users as representing a safe website rather than a secure one. (No, those terms aren’t synonymous; we’ll speak more about that later.)

This is why the Google Chrome Security Team announced in a May 2023 Chromium blog post its departure from the traditional padlock icon — a lock icon that’s been associated with website security for the last 40 or so years. The change will take effect with Chrome version 117 (estimated to be released in September).

The padlock will be phased out for both computer and mobile users:

Websites that use HTTP will continue to be flagged as “Not Secure” by Google Chrome. Google expects that all websites should have HTTPS. You might say that HTTPS is the “bare minimum” expected. No HTTPS? Your users will be warned that your website is “Not Secure.”

So, what will Chrome display instead of the padlock icon? See for yourself:

… Okay. Interesting. Here’s what it’ll look like in the browser’s address bar when Chrome 117 launches in the fall:

Hmm. It’s not much to write home about, as the saying goes. But why is Google bothering to go through the trouble of replacing a symbol that’s been around for 30+ years?

The Google Chrome Security Team says the move is based (in part) on the results of its browser UI security study, which showed that the overwhelming majority of users don’t “get” what the lock icon represents. Google’s online study of 1,880 users showed that 89% of respondents misconstrued the padlock’s meaning. According to the Chromium update:

“Replacing the lock icon with a neutral indicator prevents the misunderstanding that the lock icon is associated with the trustworthiness of a page, and emphasizes that security should be the default state in Chrome.”

Fair enough, particularly when you consider that 82.6% of websites use HTTPS as the default protocol. This means that four in five websites have SSL/TLS certificates installed — the majority of which use only the lowest level of identity verification (i.e., domain validation).

While this new icon is generic and leaves something to be desired visually, we understand where Google is coming from because many users don’t recognize the crucial difference between a safe and secure website. From a security standpoint, this is a crucial delineation we often talk about here at Hashed Out.

In the old world, HTTP wasn’t the default. HTTPS was special, and so it was rewarded with the padlock icon. In the new world, every website is expected to have HTTPS. It’s just “table stakes.” As the Chrome team says:

“When HTTPS was rare, the lock icon drew attention to the additional protections provided by HTTPS. Today, this is no longer true, and HTTPS is the norm, not the exception, and we’ve been evolving Chrome accordingly. […] We’re excited that HTTPS adoption has grown so much over the years, and that we’re finally able to safely take this step, and continue to move towards a web that is secure-by-default.”

The Chrome Security Team’s announcement assures that the browser will continue identifying insecure websites by slapping “insecure” labels on them. But when you consider that virtually anyone can get their hands on a domain validation (DV) SSL/TLS certificate, simplifying informing that a website uses HTTPS on its own doesn’t mean much. There needs to be something extra to provide another layer of security and verification to prove a website is secure, safe, and trustworthy.

This is why it’s going to be more important than ever to assert your digital identity on your website using organization validation (OV) or extended validation (EV) SSL/TLS certificates. Companies increasingly find themselves combatting phishing scams, email spoofing, and other fraud-related issues. Knowing this, as the industry progresses toward HTTPS as the default, it’s imperative that companies use trustworthy digital certificates that bring verifiable digital identity to the table.