So Long, Browser Padlock
On May 2nd Google announced they plan to remove the padlock icon, beloved or despised since Netscape days in the 1990s, from the Chrome web browser. Google research found that users who actually notice the padlock typically misunderstand it to mean a web site is trustworthy, when in fact it only meant the connection is encrypted with SSL/TLS.
Better late than never. Back in 2007, Google Chrome designers joined me and other browser security experts to decide the future of browser security indicators. The result was a Worldwide Web Consortium (W3C) standard called Security Context: User Interface Guidelines.
The W3C standard barely mentions padlocks directly, but I recall much debate and discussion in the room about it. Our consensus was that the padlock is mostly ignored or misinterpreted. Yet, with the advent of Extended Validation Certificates, we needed to convey more security information to browser users than ever before.
Browsers found creative ways to comply with the new W3C standard and present more nuanced security information to users, such as changing padlock or address bar colors. But new colors only seemed to add to user confusion (while disregarding color blind people).
Over the years, SSL/TLS online encryption became inexpensive and easy. Today over 90% of web sites use it. This is good news. But it means the padlock appears on nearly all web pages now, so we learn to ignore it. Even worse, cheap easy SSL allowed criminals to get padlocks on their web sites too. Extended Validation certificates were supposed to prevent this by keeping the most secure flavor of SSL/TLS out of criminal hands, but users didn’t understand why a green padlock was better than a yellow one.
If all web sites (even fake sites) have them, then what does the padlock even mean anymore? It doesn’t mean you can trust the web site you’re visiting. In truth it never meant that, but with criminals getting padlocks it’s truer than ever.
Google’s solution is to replace the padlock icon with a new image they call Tune. Click on it and you get the same site information you got before by clicking the padlock. The new image conveys nothing, but maybe that’s the point. Unlike the padlock, Tune won’t mislead users into trusting sites they shouldn’t.
Firefox gave up on color coded padlocks, but it still displays a gray padlock on HTTPS pages. Mozilla has a close relationship with Google, so they may retire the Firefox padlock entirely. No word yet on Apple Safari or Microsoft Edge, which both continue to display padlocks.
It’s time to thank the padlock for carrying a heavy load all those years, and put it out to pasture.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.