Sophos Cloud Optix
When it comes to browser security, how important are the address bar icons and labels that tell users about a site’s security status?
For Google at least, they matter a lot. In 2017 the Chrome browser started marking transactional sites not using HTTPS as ‘Not Secure’. In July 2018, all sites not offering HTTPS will get this label.
This always risked making the Chrome address bar look a bit crowded. In addition to ‘Not Secure’ with a red warning triangle, there was ‘Secure’ (for sites using HTTPS), as well as the famous green padlock symbol dating back more than a decade.
But which signal matters most – virtue or deficiency?
Given that HTTPS security is rapidly becoming the norm – thanks largely to arm-twisting by Google itself – the company has announced that, in future, it will only inform users when a site is insecure.
Consequently, from Chrome version 69 due in the September, the ‘Secure’ label will disappear from HTTPS sites and the green padlock will turn grey.
At some point beyond that, the padlock will vanish completely, leaving the address bar empty save for the URL.
It’s a move that turns the address bar from something that tells people that something is good (using HTTPS) into something that only tells users when something is bad (using insecure HTTP).
Well done to Google for announcing the death knell of HTTP, which faces certain extinction for every site this side of the long tail.
It’s a far cry from the perplexing wordiness of the past. Take Internet Explorer 8 (2009-11), which used to throw up the following dialogue when visiting a site using HTTPS:
You are about to view pages over a secure connection. Any information you exchange with this site cannot be viewed by anyone else on the Web.
And where HTTPS was absent:
You are about to leave a secure internet connection. It will be possible for others to view information you send.
Most people just turned them off by ticking the “do not show this warning” box, which perfectly sums up why this signalling design turned into an irrelevance.
Google’s tweak doesn’t mean that confusion about address bar signalling is gone for good – rival browsers Firefox, Edge, Safari and Opera still have their own slightly different systems for signifying the presence or absence of HTTPS.
Then there is the vexed issue of whether sites should be assumed to be good simply because they are using HTTPS.
This is a risky assumption, given that there’s nothing to stop a phishing site from deploying HTTPS as a calculated attempt to spoof its virtues. Even legitimate sites using HTTPS can sometimes fail to secure the data of their users.
Longer term, the answer is not more icons or labels but for companies such as Google to find a way to filter out sites that fall short of acceptable levels on a balance of indicators. Right now, we’re still a long way from a world built on that sort of transparent web security.
Thanks for the article. It’s nice that it clearly explains the reasoning behind the move (which is something that none of my newsfeeds, including Naked Security, managed to do in their article blurbs).
Thanks a lot for the article, I have a website where free SSL certificate from Bluehost is installed but Google still gives a warning when trying to visit this particular site. I have nothing but blog posts there.