For years, the padlock displayed to the left of the URL in the Google Chrome address bar has been a security indicator, serving to confirm at a glance that we were connecting to a secure server, which has an SSL certificate that accredits the identity of the same and that, in addition, allows encrypting the communications between the client and the server, thus guaranteeing the security of the data in transit. Thus, since 2018, Google’s web browser has warned us, with this element, of insecure connections.
If you are a user of it, You have probably perceived a clear evolution in this regard in recent years. When Google Chrome introduced this measure, it was still quite common to find websites without an SSL certificate. However, today it is really unusual to find pages that do not have it, especially if we are talking about professional websites, since in personal ones it is more likely, even today, to find this circumstance. In these cases, the padlock is replaced by an alert sign (an exclamation mark inside a triangle accompanied by the text “Not secure”).
It happens, however, that the fact The fact that a web page has an SSL certificate does not necessarily prove that it is secure and reliable. And this nuance, which at first may seem like a minor detail, is actually much more important than it seems. Because? Because interpreting the padlock as a sign that we can blindly trust what is in front of us is a security threat, due to a false sense of security.
At Google they are aware of this problem and, for some time now, have wanted to make changes to end it. And now, finally, it seems that there is already a date for it, since Google Chrome 117 will no longer show the lock for secure connections, as we can read on the Chromium blog. In said entry, the company perfectly explains the paradigm shift of these years with the following paragraph:
«The lock icon is intended to indicate that the network connection is a secure channel between the browser and the site and that the network connection cannot be tampered with or eavesdropped on by third parties, but it is a holdover from an era when HTTPS it was uncommon. HTTPS was originally so rare that, at one point, Internet Explorer displayed an alert to users notifying them that the connection was protected by HTTPS, reminiscent of the “Everything’s OK” alarm from The Simpsons. When HTTPS was rare, the lock icon called attention to the additional protections provided by HTTPS. Today this is no longer true, and HTTPS is the norm, not the exception, and Chrome has evolved accordingly.»
Now, the explanation about how dangerous the padlock can be today is found in this other paragraph:
«For example: we know that the lock icon does not indicate the trustworthiness of the website. We redesigned the lock icon in 2016 after our research showed that many users didn’t understand what the icon conveyed. Despite our best efforts, our research in 2021 showed that only 11% of study participants correctly understood the precise meaning of the lock icon . This misunderstanding is not harmless: almost all phishing sites use HTTPS and therefore also display the lock icon. The misunderstandings are so widespread that many organizations, including the FBI, post explicit instructions that the lock icon is not an indicator of website security.»
Thus, deleting it, replacing it with another one that is associated with settings and configuration, will avoid the overconfidence caused by the padlock. The padlock, yes, will continue to be displayed when we click on the new icon, now next to the text “The connection is secure”, which provides clearer information about it
If you are a Google Canary user and want to try it, you can do so by following these steps:
- Type “chrome://flags” (without the quotes) in the address bar.
- Search for “chrome-refresh-2023” (also without quotes).
- When the flagchange its status from “Default” to “Enabled”
- Finally, restart the browser, access any web page and you will see the new icon:
