Chrome announced that it will soon transition the Chrome browser from the lock icon that signals a secure HTTPS connection and introduce a more neutral icon that they believe will offer a better user experience.
The reason for this is based on research showing that the current lock icon is unintentionally misleading and a security risk.
Why the HTTPS block icon disappears
The lock icon is an artifact of a time when secure connections were the exception rather than the norm.
Users could rely on the green padlock icon to remind them a connection was secure.
It used to be common knowledge that only financial and e-commerce websites need a secure connection, and non-transaction websites don’t need secure connections.
But that old mindset changed when Google and other companies started encouraging publishers to switch to secure connections to improve user privacy and security.
Google eventually went so far as to make HTTPS secure connection a ranking factor, motivating opposition who still insisted HTTPS was pointless for non-ecommerce sites.
Chrome’s announcement stated:
“HTTPS was originally so rare that at one point Internet Explorer would show users a warning to let them know the connection was secured by HTTPS, reminiscent of The Simpsons’ “Everything OK” alert. When HTTPS was rare, the lock icon drew attention to the extra protection HTTPS offered.
Today that is no longer the case and HTTPS is the norm, not the exception, and we have evolved Chrome accordingly.”
The lock icon is misleading
It might sound counterintuitive, but Google’s research found that the lock icon gives users a false sense of security.
The lock icon does not mean a website is secure. It just means that the connection is over a secure protocol.
Users mistakenly assume that the lock icon means the site is secure, so they automatically trust the site they visit.
This is a potentially harmful perception as phishing and malware websites often display the lock icon.
Research from Google shows consumers continue to associate the lock icon with security.
“We redesigned the lock icon in 2016 after our research showed that many users misunderstood the meaning of the icon.
Despite our best efforts, our 2021 research showed that only 11% of study participants correctly understood the exact meaning of the lock symbol.
This misunderstanding is not harmless – almost all phishing sites use HTTPS and therefore also display the lock icon.
Misconceptions are so common that many organizations, including the FBI, publish explicit guidance that the lock icon is not an indicator of website security.”
De-emphasis lock icon
Chrome has been in the process of de-emphasizing the lock icon for the last five years, starting in 2018 when there was a suggestion to change the icon.
There used to be a prominent word, Safe, written in green.
The suggestion was to remove the word.
Here’s a screenshot from the Chrome blog post:
Removing the lock icon can be seen as part of the natural evolution of the web and user needs.
New HTTPS tune icon
Google updates the HTTPS icon to more accurately communicate a website’s HTTPS status as secure, but without inadvertently implying security.
The new icon is a so-called tune icon.
Google Font shows these as examples of melody symbols:
And this is the new icon that Chrome will include:
Chrome’s explanation explained the reasons for choosing a melody icon:
“We think the iconic melody:
- Does not mean “trustworthy”
- Is more obviously clickable
- Often associated with settings or other controls”
Chrome continues to warn users when there is an insecure connection.
The redesigned icon will first appear in Chrome 117, which is currently scheduled for release in September 2023.
Chrome announced that the change is planned for both the desktop and Android versions of Chrome.
They will completely remove the icon from the iOS version of Chrome as the icon cannot be tapped.
Read Chrome’s official announcement:
An update on the lock icon