Google Chrome is Changing its SSL Security Indicators
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Google Chrome is Changing its SSL Security Indicators

New version of Google Chrome will include changes to the visual indicators for SSL/TLS.

When you connect to a website, your web browser shows you a security indicator to tell you about the connection your computer has to that site. When a site is using SSL, all major browsers will display “https://” at the beginning of the URL in the address bar, along with a green padlock icon. These indicators tell you that your connection is private and encrypted, both features enabled by SSL/TLS.

SSL Visual Indicator
This has been the icon you see when you securely connect to a website using SSL. Google has decided it’s time for some changes.The green padlock and “https://” as indicators your connection is secure.

Lately, browsers have been tinkering with these icons as they learn more about how to build more effective security UX. In a new release of Google Chrome, we can get a peek at changes of most security indicators related to SSL.

Depending on what OS you are using, you may already be seeing these changes. For Mac OS, these changes are part of Version 52 of Chrome, which was released one week ago. Windows users will be waiting one more release, until Version 53.

For the most part, these changes are small – mainly stylistic. For sites loading over HTTP (which is not secure), the blank page icon has been replaced with an info icon. For sites with badly misconfigured HTTPS, the padlock-with-red-X has been replaced with an exclamation point inside a red triangle.

The indicator for sites with properly configured SSL is only see stylistic changes. However, for sites using an Extended Validation (EV) SSL certificate, there are bigger changes coming (read on to the next section).

Google Chrome
Previous iteration of Chrome’s SSL UI (on the left) compared to the upcoming changes in Chrome Canary (on the right). From top to bottom, the screenshots are showing the UI for a site with properly configured SSL, then a site using the unsecured HTTP protocol, and at the bottom a site with a broken SSL configuration. Image courtesy of Chrome Security Enamel Team.

On Windows, we can expect v53 to become the stable version around September of this year[1]. At that point, the general internet audience will see this new UI. If you want to see the changes for yourself today, just make sure you have updated your browser on Mac, or download Chrome Canary for Windows and head over to badssl.com, an excellent website that allows you to test a variety of SSL configurations.

Browsers Change EV SSL UI

Extended Validation (EV) SSL Certificates offer the highest level of validation and confirm the real-world legal organization operating a website. The major web browsers recognize this and have an additional UI element for EV SSL Certificates.

Until recently, this unique UI was the “green address bar” (or “green bar”). That name refers to the green rectangle that surrounded the validated organization name. Of the four major browsers – Chrome, Firefox, Edge, and Safari – only Chrome still has the green bar (see below).

In addition to the other changes to Chrome’s security UI, they will also join the rest of the browsers in replacing the green bar.

Google Chrome
How the current version of Chrome displays EV SSL Certificates.

In its place, all four browsers prominently display the organization name in green (and most also include the country where the organization is legally registered/incorporated). This change is a result of user studies and a reframing of SSL’s security benefits.

Below you can see screenshots of how EV SSL certificates are treated in the upcoming version of Chrome, and the current versions of Firefox, Edge, and Safari.

SSL Visual Indicators
Browser Treatment of EV SSL Certificates. Images of Safari and Edge by the Browser Lock Museum.

On Windows, expect to see all these changes landing in Chrome 53, which should be released around September. Chrome’s security team remains hard at work on their plan to simplify security UX and eventually flip the paradigm by actively showing HTTP as unsecure. We will be here to cover the security indicators and UX of all browsers as they progress.

[1] https://twitter.com/__apf__/status/740314282664022016