Chrome to Drop Familiar ‘Lock’ Icon as It Might Be Actually Helping Phishers, Google Says

Google has announced plans to rid Chrome of the ubiquitous lock icon indicating a secure connection, as it no longer serves its intended purpose – and might be doing more harm than good.

The padlock icon in Chrome’s URL bar was – and still is – primarily intended to indicate a secure connection over HTTPS. But it’s more than just a simple image. If clicked, the icon displays a trove of information about the site visited, such as the validity of its security certificate, cookies and site data, and a wide range of settings and permissions (as shown below).

Credit: Google

Ten years ago only 14% of the Alexa Top 1M sites supported HTTPS, but today over 95% of page loads in Chrome on Windows take place over a secure channel using HTTPS, Google notes, meaning the “lock” is ubiquitous enough not to be enforced.

Come September, Chrome 117 will roll out a new “tune” icon in the padlock’s stead – “both to emphasize that security should be the default state, and to make site settings more accessible,” according to the security team at Google.

The new icon (shown below) will offer much the same functionality “as a precisely scoped entry point to connection security information, but with a new top-level access point,” the web giant says.

Credit: Google

But ubiquity is not the only reason behind the shift. In fact, it might not even be the main reason.

Phishers also use HTTPS

Research carried out by the internet behemoth in 2021 showed that only 11% of Chrome users correctly understood the precise meaning of the lock icon.

Misunderstandings aside, the lock now seems to be doing more harm than good, as most phishing sites today also use HTTPS to trick victims. In other words, the lock icon is in fact helping threat actors.

“Our research has also shown that many users never understood that clicking the lock icon showed important information and controls,” Google says. “We think the new icon helps make permission controls and additional security information more accessible, while avoiding the misunderstandings that plague the lock icon.”

As Google puts it, removing the “lock” should also emphasize that security is considered the default state in Chrome, while the browser will continue to flag any website using plaintext HTTP as insecure.

The mobile version of Chrome will get the same treatment but only on phones running Android.

“On iOS, the lock icon is not tappable, so we will be removing it entirely,” the web giant notes.

Chrome 117 is slated to roll out in early September 2023.

Don’t forget about malware

Remember that your web browser can only secure your experience to the degree that you understand the warnings displayed, where you are online, and what data you exchange with the websites you visit.

Scammers will go to great lengths to make their websites look trustworthy, going so far as to get valid security certificates to hide their true intentions.

While Google is making important inroads to protect your security and privacy browsing online, Bitdefender also strongly recommends the use of a dedicated security solution to combat online threats, especially malware.