It’s hard to believe but the “secure” lock icon has been a part of our web browsing experience for nearly three decades. Unfortunately, thirty years wasn’t long enough for the familiar lock icon to clearly convey why exactly it was there. Introduced by Netscape in the mid-nineties, HTTPS stands for Hypertext Transfer Protocol Secure and the lock icon in the Chrome URL bar has long represented that a site is using the “secure” protocol.
The problem is, HTTPS is commonly seen as meaning that you are safe browsing the website carrying the icon. As a matter of fact, a 2021 study by Google Research revealed that only 11% had a clear understanding of what HTTPS was and what it did and did not do. What HTTPS does represent is a secure connection between your browser and the site that you’re viewing. It requires nothing more than a valid SSL certificate which anyone can get for free for any domain. What happens while you’re on that site is not affected or protected by HTTPS. According to Google, nearly all malicious phishing websites use HTTPS which makes sense. Nefarious players want their unsuspecting victims to have a false sense of security when leaving themselves open to identity theft and other types of phishing attacks.
The lock icon has, unintentionally, given users a false sense of security. The lack of understanding of the HTTPS protocol has left many web surfers believing that they and their personal data are safe and secure while using a site with the lock icon and that simply isn’t the case. Google recognized this misconception and after extensive research, is moving to replace the misinterpreted lock icon with something new.
Starting with the release of Chrome 117 in September, the lock icon will be replaces with the new “Tune” icon to denote HTTPS as well as draw attention to the additional controls that many users don’t know are available when you click the lock icon. The new icon will arrive on Chrome for Android as well and since the icon isn’t clickable on iOS, it will be removed entirely.
From the horse’s mouth
The lock icon is meant to indicate that the network connection is a secure channel between the browser and site and that the network connection cannot be tampered with or eavesdropped on by third parties, but it’s a remnant of an era where HTTPS was uncommon. HTTPS was originally so rare that at one point, Internet Explorer popped up an alert to users to notify them that the connection was secured by HTTPS, reminiscent of the “Everything’s Okay” alarm from The Simpsons. When HTTPS was rare, the lock icon drew attention to the additional protections provided by HTTPS. Today, this is no longer true, and HTTPS is the norm, not the exception, and we’ve been evolving Chrome accordingly.
Chromium Blog
The new Tune icon is intended for more than a simple aesthetic update. Chromium developers believe that it will better convey what HTTPS is while clearly indicating that there are more settings and granular security controls available by clicking the icon.
- Does not imply “trustworthy”
- Is more obviously clickable
- Is commonly associated with settings or other controls
If you happen to be in the Canary channel of ChromeOS or have the Canary Chrome desktop installed, you can go ahead and enable the new Tune icon by heading to chrome://flags#chrome-refresh-2023 and enabling the flag. You will then see the updated icon in your URL bar. A small but hopefully very meaningful change that will help users focus more on security while traipsing across the web. Read the full blog post here.
