Magical properties are often attributed to the padlock icon 🔒 which marks “secure” pages. For example, you'll often hear that the icon indicates trustworthy websites that won't abuse your data and passwords. The padlock is gradually being removed and that's a Good Thing™. But why?
Using the Google Chrome browser? Already using the new version? I think you do, it was released in the first week of September, its version number is 69, and it has a distinctive feature: rounded corners. They appear in multiple places but they're most obvious in the address bar. Chrome calls it the omnibox because it's not just about the address anymore. You also type search queries into the box, and answers to some of them appear right there as well (try: weather, usd, capital of czech republic). The omnibox also works as a simple calculator.
The grass is always greener…
Some pages, like Facebook, Google, your bank and all my sites, have a padlock in the left corner of the omnibox. I guess you remember now that you have heard about the lock icon already, somebody mentioned it to you. But they were talking about a green lock and they also said that it marks a secure page.
The omnibox in Chrome 68
The omnibox in Chrome 69
It doesn't but we'll get to that. Let's talk about the colors now. The lock icon was indeed green once, and had a “Secure” label next to it. Then it was changed to gray one day. And if you're a dark mode fan like me, your icon used to be white, now light gray. If you didn't notice the lock icon until now and have ignored all the advices to check it, don't worry. Google, the company behind the Chrome browser, is trying to make the lock invisible. Most probably, it will disappear completely in one of the future versions. Chrome 93 will run an experiment that will change the lock into a more neutral icon better indicating that it can be clicked on.
Omnibox experiment in Chrome 93
Other browsers will probably follow soon after. What's the meaning of the icon anyway, why it's being removed and why is that a good thing?
Eavesdropping on the main square
Back in the day, the Internet was like a main square in your hometown. People sitting on benches, talking to each other, and whoever passed by could hear what they were chatting about. When you wanted an ice cream, you gave your payment card number to your friendly “ice cream provider” and asked them to bring you two cups. The provider got the ice cream somewhere, used your card details to pay for it, and copied the details so they could get some ice cream off your card too.
Yeah, I know, real world analogies are terrible but at least try and imagine that. Your Wi-Fi provider or ISP in general could know what you're reading, what you're sending and to whom, your passwords etc. They could also modify the information. So when this good guy Mike have sent you his account number so you could pay back what you owe him for that night out, “somebody” could swap the account number while in transit, and effectively make you send the money to someone else. That “somebody” could also add a link to a product, page, or a malware download that will make them a few bucks. There was no way to check that it was not the job of this good guy Mike. If you give it a thought, it looks a bit more like a jungle than a main square.
To add insult to the injury, the padlock icon looks almost like a shopping bag
The padlock icon means that your data is protected when travelling through the jungle. It's protected by encryption, which in general is just math. Technically speaking, it's HTTPS encrypting the pages in transit. The S stands for Secure but you may also use my alternative explanation of the abbreviation: How To Transfer Private
I hear you and the answer is no. The padlock icon cannot guarantee that the page won't abuse your data, won't sell your passwords or that your goods will be delivered in time. It doesn't mean you can trust everything on the page. Sites like this Flat Earth nonsense can also display a padlock and it means just one thing: nothing was added by your ISP or anybody else in the jungle while the page was being downloaded to your browser.
We've started attributing almost magical properties to the lock icon: like the one that the page with the icon is trustworthy. It's not, bad guys can just display an image of the lock elsewhere on the page or can even get the browser to display the real icon too. The HTTPS certificate that makes your browser show the icon is available for free.
Encrypt all the things
See, you can't explain the padlock with just a “Secure” label. Maybe, the browsers could just completely remove both the icon and the label, and rather alert users to bad things. All sites and pages should be encrypted when in transit, and we should take it as a matter of course.
Eventually, all pages using unencrypted HTTP will be marked with a red
⚠ Not secure warning (source)
The browser should rather mark those pages that don't use encryption. And indeed, it already does. Pages on insecure HTTP are marked as “Not secure”. It's not a significant warning now but that will change to a red one with an exclamation mark in the future, hopefully soon. When you land on a page marked as “Not secure”, be careful. Do not enter your payment card details, do not log in, don't download anything, and be aware that whatever you read could be added by a banana dealer in the jungle.
It's also possible that the operator of your favorite site is just behind the times and didn't enable encryption yet. In that case it's really simple: tell them to enable it. You'll help make the Internet a more secure place.
PS: Forbes Czech has promised, they'll move to HTTPS soon. (And eventually they did.)
July 22, 2021 Chrome 93 will experimentally replace the lock with a more neutral icon
I build web applications and I'm into web application security. I like to speak about secure development. My mission is to teach web developers how to build secure and fast web applications and why.