How Google's icon experiment could improve online security
Google just took a small step聽toward increasing users' understanding of their online security.
On ,聽the experimental version of the Google Chrome browser, Google has聽ditched the聽lock-and-triangle icon (below), an ambiguous symbol that indicates a mixed degree of security on a site. Instead, it began marking all sites that don't have a fully secure connection the same way as sites with a nonsecure connection 鈥 a blank page icon.
If the change is eventually adopted in the regular Chrome browser, experts say it could eliminate confusion surrounding online security and help users understand that the site is not fully secure.
Currently, the lock-and-triangle symbol聽is one of several icons that could come up in the URL bar depending on the user's connection to the website.
A site鈥檚 URL will begin with either 鈥淗TTP鈥 or 鈥淗TTPS.鈥 The 鈥渟鈥 indicates a secure connection that encrypts the Web traffic between a user and a particular website. Without the 鈥渟,鈥 a user鈥檚 connection to the site is not encrypted, and any information the user submits over the site, such as credit card information or passwords, could be compromised.
鈥淢ost people don鈥檛 start thinking about security, they only start thinking about security when you raise the issue of security to them,鈥 said Matt Green, security researcher at Johns Hopkins University. 鈥淭he lock does that, but in the absence of a lock, you鈥檙e basically saying that conversation isn鈥檛 happening.鈥
To help users notice the difference, Google uses聽 on its Chrome browser, the world's most popular browser,聽that come before the URL to indicate the security of the connection. A green padlock means user has a secure, encrypted connection to the site. The gray lock and yellow triangle means the connection is encrypted, but there are elements on the page that are not secure, such as pictures. Google suggests not submitting private information on a page like that. And a white page icon is for sites that do not encrypt the connection between the user and the site. These sites will have 鈥淗TTP鈥 instead of 鈥淗TTPS.鈥
听听
According to a tweet by Chris Palmer, a security engineer for Google Chrome, the move to delete the triangle is, 鈥渁 recognition of how much cognitive overhead people can manage.鈥澛
Chrome Canary is an experimental version of Google Chrome that Google describes as being on the 鈥渂leeding edge鈥 of the Web 鈥 so new and in-development that it changes every day and 鈥渃an sometimes break down completely.鈥 It鈥檚 where Google tests out new browser features.
While average Google Chrome users might not see the update for a while 鈥 or at all depending on if later incarnations take its place 鈥 the move fits into the earlier this year to mark HTTP as nonsecure.
The proposal notes that users often do not notice when a warning sign is not present.
鈥淵et the only situation in which web browsers are guaranteed not to warn users is precisely when there is no chance of security,鈥 the proposal says, referring to the unmarked HTTP sites.
It called for feedback on different ways to transition to marking the HTTP sites differently
鈥淲e all need data communication on the web to be secure (private, authenticated, untampered),鈥 it says. 鈥淲hen there is no data security, the [site] should explicitly display that, so users can make informed decisions about how to interact with an origin.鈥
Editor's note: This article was updated Aug. 17 to clarify that mixed content means that certain elements of the website are insecure, not just links.聽
