How Google's icon experiment could improve online security
Google just took a small step toward increasing users' understanding of their online security.
On Chrome Canary, the experimental version of the Google Chrome browser, Google has ditched the lock-and-triangle icon (below), an ambiguous symbol that indicates a mixed degree of security on a site. Instead, it began marking all sites that don't have a fully secure connection the same way as sites with a nonsecure connection – a blank page icon.
If the change is eventually adopted in the regular Chrome browser, experts say it could eliminate confusion surrounding online security and help users understand that the site is not fully secure.
Currently, the lock-and-triangle symbol is one of several icons that could come up in the URL bar depending on the user's connection to the website.
A site’s URL will begin with either “HTTP” or “HTTPS.” The “s” indicates a secure connection that encrypts the Web traffic between a user and a particular website. Without the “s,” a user’s connection to the site is not encrypted, and any information the user submits over the site, such as credit card information or passwords, could be compromised.
“Most people don’t start thinking about security, they only start thinking about security when you raise the issue of security to them,” said Matt Green, security researcher at Johns Hopkins University. “The lock does that, but in the absence of a lock, you’re basically saying that conversation isn’t happening.”
To help users notice the difference, Google uses several icons on its Chrome browser, the world's most popular browser, that come before the URL to indicate the security of the connection. A green padlock means user has a secure, encrypted connection to the site. The gray lock and yellow triangle means the connection is encrypted, but there are elements on the page that are not secure, such as pictures. Google suggests not submitting private information on a page like that. And a white page icon is for sites that do not encrypt the connection between the user and the site. These sites will have “HTTP” instead of “HTTPS.”
According to a tweet by Chris Palmer, a security engineer for Google Chrome, the move to delete the triangle is, “a recognition of how much cognitive overhead people can manage.”
Chrome Canary is an experimental version of Google Chrome that Google describes as being on the “bleeding edge” of the Web – so new and in-development that it changes every day and “can sometimes break down completely.” It’s where Google tests out new browser features.
While average Google Chrome users might not see the update for a while – or at all depending on if later incarnations take its place – the move fits into the Chrome security team’s proposal earlier this year to mark HTTP as nonsecure.
The proposal notes that users often do not notice when a warning sign is not present.
“Yet the only situation in which web browsers are guaranteed not to warn users is precisely when there is no chance of security,” the proposal says, referring to the unmarked HTTP sites.
It called for feedback on different ways to transition to marking the HTTP sites differently
“We all need data communication on the web to be secure (private, authenticated, untampered),” it says. “When there is no data security, the [site] should explicitly display that, so users can make informed decisions about how to interact with an origin.”
Editor's note: This article was updated Aug. 17 to clarify that mixed content means that certain elements of the website are insecure, not just links.
