New version of Google Chrome will include changes to the visual indicators for SSL/TLS.
When you connect to a website, your web browser shows you a security indicator to tell you about the connection your computer has to that site. When a site is using SSL, all major browsers will display “https://” at the beginning of the URL in the address bar, along with a green padlock icon. These indicators tell you that your connection is private and encrypted, both features enabled by SSL/TLS.
Lately, browsers have been tinkering with these icons as they learn more about how to build more effective security UX. In a new release of Google Chrome, we can get a peek at changes of most security indicators related to SSL.
Depending on what OS you are using, you may already be seeing these changes. For Mac OS, these changes are part of Version 52 of Chrome, which was released one week ago. Windows users will be waiting one more release, until Version 53.
For the most part, these changes are small – mainly stylistic. For sites loading over HTTP (which is not secure), the blank page icon has been replaced with an info icon. For sites with badly misconfigured HTTPS, the padlock-with-red-X has been replaced with an exclamation point inside a red triangle.
The indicator for sites with properly configured SSL is only see stylistic changes. However, for sites using an Extended Validation (EV) SSL certificate, there are bigger changes coming (read on to the next section).
On Windows, we can expect v53 to become the stable version around September of this year. At that point, the general internet audience will see this new UI. If you want to see the changes for yourself today, just make sure you have updated your browser on Mac, or download Chrome Canary for Windows and head over to badssl.com, an excellent website that allows you to test a variety of SSL configurations.
Browsers Change EV SSL UI
Extended Validation (EV) SSL Certificates offer the highest level of validation and confirm the real-world legal organization operating a website. The major web browsers recognize this and have an additional UI element for EV SSL Certificates.
Until recently, this unique UI was the “green address bar” (or “green bar”). That name refers to the green rectangle that surrounded the validated organization name. Of the four major browsers – Chrome, Firefox, Edge, and Safari – only Chrome still has the green bar (see below).
In addition to the other changes to Chrome’s security UI, they will also join the rest of the browsers in replacing the green bar.
In its place, all four browsers prominently display the organization name in green (and most also include the country where the organization is legally registered/incorporated). This change is a result of user studies and a reframing of SSL’s security benefits.
Below you can see screenshots of how EV SSL certificates are treated in the upcoming version of Chrome, and the current versions of Firefox, Edge, and Safari.
On Windows, expect to see all these changes landing in Chrome 53, which should be released around September. Chrome’s security team remains hard at work on their plan to simplify security UX and eventually flip the paradigm by actively showing HTTP as unsecure. We will be here to cover the security indicators and UX of all browsers as they progress.