Google has now revealed two significant changes incoming for its Chrome browser, including the deprecation of the lock icon and a new HTTPS-First Mode. That’s according to a recent blog post from the company detailing the two changes. And the reasons behind them.
For clarity, the lcok icon in question is the one Chrome displays to the left of the URL Omnibox on some pages. Specifically, Google says that it’s displayed on pages that have a secure connection. But, arguably, the more important change doesn’t have anything to do with the Chrome lock icon — and a lot to do with securing the web via HTTPS-First Mode.
The new HTTPS-First Mode, set to roll out with Chrome milestone update M94, is fairly straightforward. It will, at all times, make an attempt to load pages in HTTPS. And that includes upgrading HTTP pages to HTTPS. For sites that can’t be upgraded, Chrome will throw a full-page warning in HTTPS-First Mode. That warning, of course, will show before the connection is established.
Why changes toward HTTPS-First and what does this have to do with the lock icon?
Now, HTTPS-First modes have been hinted at and have begun to be introduced by other browsers such as Firefox and Edge. On Chrome, Google has been pushing toward that as well. Albeit not in quite the same way, and driven primarily by how much more secure HTTPS is than HTTP. With more than 90-percent of Chrome page loads happening via HTTPS.
Now, Chrome also wants to move toward keeping users better-informed about sites over insecure connections. As well as limiting the ability to opt out of HTTPS and place restrictions on site content provided and stored from insecure connections. All while informing end-users about what’s going on with security behind the scenes.
And part of that latter endeavor is precisely why Gooogle is “re-examining” its browsers URL bar based “lock icon.”
The lock icon, according to Google, is widely misunderstood by end users. Only 11-percent of participants in a recent study run by the company understood what it meant. Namely, that it’s not meant to show that the site itself is ‘trustworthy’. Only that the connection to the site is safe. So, starting from Chrome M93, the icon will be replaced with a down-arrow icon.
Clicking on that will still showcase Page Info, including whether the connection is secure and how the site is being managed. Just like a click on the lock icon does now. But that will be done with a more neutral icon, meant to dissuade unwarranted trust. Google says that it’s end goal is to help users discover information such as site permissions more readily, rather than simply trusting it’s safe because of a misunderstood icon.
Sites without HTTPS support will continue showing a “Not secure” warning.
This doesn’t mean the company isn’t taking more dramatic steps still
Of course, all of this falls in line with restrictions on features already in place. Such as restrictions meant to halt mixed content downloads. For example, those that pull downloads from an HTTP site despite the user seeing that they’re on an HTTPS site. Google plans to expand on those restrictions as well, in a bid to keep user data safe.