October 15, 2018 HTTPS, padlock, encryption, Forbes, Chrome

Magical properties are often attributed to the padlock icon 🔒 which marks “secure” pages. For example, you'll often hear that the icon indicates trustworthy websites that won't abuse your data and passwords. The padlock is gradually being removed and that's a Good Thing™. But why?

Using the Google Chrome browser? Already using the new version? I think you do, it was released in the first week of September, its version number is 69, and it has a distinctive feature: rounded corners. They appear in multiple places but they're most obvious in the address bar. Chrome calls it the omnibox because it's not just about the address anymore. You also type search queries into the box, and answers to some of them appear right there as well (try: weather, usd, capital of czech republic). The omnibox also works as a simple calculator.

The grass is always greener…

Some pages, like Facebook, Google, your bank and all my sites, have a padlock in the left corner of the omnibox. I guess you remember now that you have heard about the lock icon already, somebody mentioned it to you. But they were talking about a green lock and they also said that it marks a secure page.

The omnibox in Chrome 68

The omnibox in Chrome 68

The omnibox in Chrome 69

The omnibox in Chrome 69

It doesn't but we'll get to that. Let's talk about the colors now. The lock icon was indeed green once, and had a “Secure” label next to it. Starting with the new version of Chrome it's gray. If you didn't notice the lock icon until now and have ignored all the advices to check it, don't worry. Google, the company behind the Chrome browser, is trying to make the lock invisible. It will disappear completely in one of the future versions. The date is not known yet but it could be as soon as next year. Other browsers will probably follow soon after. What's the meaning of the icon anyway, why it's being removed and why is that a good thing?

Eavesdropping on the main square

Back in the day, the Internet was like a main square in your hometown. People sitting on benches, talking to each other, and whoever passed by could hear what they were chatting about. When you wanted an ice cream, you gave your payment card number to your friendly “ice cream provider” and asked them to bring you two cups. The provider got the ice cream somewhere, used your card details to pay for it, and copied the details so they could get some ice cream off your card too.

Yeah, I know, real world analogies are terrible but at least try and imagine that. Your Wi-Fi provider or ISP in general could know what you're reading, what you're sending and to whom, your passwords etc. They could also modify the information. So when this good guy Mike have sent you his account number so you could pay back what you owe him for that night out, “somebody” could swap the account number while in transit, and effectively make you send the money to someone else. That “somebody” could also add a link to a product, page, or a malware download that will make them a few bucks. There was no way to check that it was not the job of this good guy Mike. If you give it a thought, it looks a bit more like a jungle than a main square.

The similarity between a bag and a padlock icon is clearly visible at www.apple.com

To add insult to the injury, the padlock icon looks almost like a shopping bag

The padlock icon means that your data is protected when travelling through the jungle. It's protected by encryption, which in general is just math. Technically speaking, it's HTTPS encrypting the pages in transit. The S stands for Secure but you may also use my alternative explanation of the abbreviation: How To Transfer Private ShitStuff.

I hear you and the answer is no. The padlock icon cannot guarantee that the page won't abuse your data, won't sell your passwords or that your goods will be delivered in time. It doesn't mean you can trust everything on the page. Sites like this Flat Earth nonsense can also display a padlock and it means just one thing: nothing was added by your ISP or anybody else in the jungle while the page was being downloaded to your browser.

We've started attributing almost magical properties to the lock icon: like the one that the page with the icon is trustworthy. It's not, bad guys can just display an image of the lock elsewhere on the page or can even get the browser to display the real icon too. The HTTPS certificate that makes your browser show the icon is available for free.

Encrypt all the things

See, you can't explain the padlock with just a “Secure” label. Maybe, the browsers could just completely remove both the icon and the label, and rather alert users to bad things. All sites and pages should be encrypted when in transit, and we should take it as a matter of course.

Eventual treatment of all HTTP pages in Chrome: ⚠ Not secure | example.com

Eventually, all pages using unencrypted HTTP will be marked with a red ⚠ Not secure warning (source)

The browser should rather mark those pages that don't use encryption. And indeed, it already does. Pages on insecure HTTP are marked as “Not secure”. It's not a significant warning now but that will change to a red one with an exclamation mark in the future, hopefully soon. When you land on a page marked as “Not secure”, be careful. Do not enter your payment card details, do not log in, don't download anything, and be aware that whatever you read could be added by a banana dealer in the jungle.

It's also possible that the operator of your favorite site is just behind the times and didn't enable encryption yet. In that case it's really simple: tell them to enable it. You'll help make the Internet a more secure place.

This was originally written for a Czech print edition of Forbes NEXT, but was eventually distributed as a newsletter and later published on the site too.

PS: Forbes Czech has promised, they'll move to HTTPS soon. (And eventually they did.)

Michal Špaček

I build web applications and I'm into web application security. I like to speak about secure development. My mission is to teach web developers how to build secure and fast web applications and why.

Public trainings

Come to my public trainings, everybody's welcome:

PHP application security
(December 11–12, 2018 Praha)

HTTPS for developers and admins
(December 13, 2018 Praha)