Google will remove the “Secure” indicator in September
1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 4.50 out of 5)
Loading...

Google will remove the “Secure” indicator in September

Eventually Google plans to remove the padlock icon from its UI, too.

In a blog post made on Thursday, Google announced that it will be removing the “Secure” indicator from its address bar in September with the release of Chrome 69. This is a move that was desperately needed.

HTTPS usage on the web has taken off as we’ve evolved Chrome security indicators. Later this year, we’ll be taking several more steps along this path. Users should expect that the web is safe by default, and they’ll be warned when there’s an issue. Since we’ll soon start marking all HTTP pages as “not secure”, we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure. Chrome will roll this out over time, starting by removing the “Secure” wording and HTTPS scheme in September 2018 (Chrome 69).

As we have stated before, the “Secure” indicator in Google’s UI was never a good idea. Though it was well-intentioned, proposed as a way to incentivize switching to HTTPS, it has instead made phishing websites more effective by adding a “secure” label in the address bar despite the site’s nefarious nature. Phishing has never been more rampant. Now it seems that Google has gotten enough buy-in to remove the indicator, which should help deal a blow to phishers the world over.

The new UI will look like this:

Google removing Secure indicator from UI

If you’ll notice Google has also eliminated the protocol at the beginning of the URL. It used to start with “https://…,” that will now be omitted.

Emily Schecter, a Google Product Manager handling Chrome Security (and one of the authors of today’s Chromium blog post), recently gave a keynote that discussed some of the reasons Google has decided to drop the protocol and simplify what it displays in Chrome’s address bar. You can watch it below.

Additionally, starting in Chrome 70, which will release in October, Google will begin adding a more intense “Not Secure” indicator whenever you start entering text into an HTTP page.

It’s likely that Mozilla and the other browser vendors will follow suit in the coming months.

This new neutral UI means that Extended Validation will be only the kind of SSL certificate that receives any kind of indicator. And who knows how long that will stick around for. Many non-CA members of the CAB Forum have been discussing removal of the EV indicator for years.

As always, we’ll keep you posted as more develops.

12 comments
  • As god (aka google) moves forward is it their intent to remove the company information provided with an EV cert from the browser as well. What benefit is there to have a EV cert?

  • I do believe this is for the best. As an IT Director, I am often spending time explaining the differences in protocols, or at least devoting time to my staff, to explain it to clients. I think if the ambiguity is removed, there is far less need for “explanation”; especially if you see “Unsecure” in the corner instead of just a “plain” URL. I think Google is going the right direction with removing the “Secure” tag, however I can see how this might initially raise customer service questions for the 500+ websites we currently host. Optimistically, we’ll only have to field 25% of those that currently have a site with SSL — and of that 100% of those should be a one-time call. From where I sit, this is minimal impact for what the world is achieving by going HTTPS Everywhere. I, for one, throw my hand up — Aye

  • I don’t support this idea. Especially the removal of the EV indicator. Thankfully they have not yet planned so. Otherwise, there will be no visual diffence between EV and DV certificates.

    • I agree with you. I also think there should be some kind of visual difference between DV and OV certificates also, such as DV not receiving the padlock in the “Eventually” part of the figure, while OV sites receiving that gray padlock coming in Chrome 69, and EV displayed the way they are now. Most users aren’t very technical, so visual differences do matter.

  • Did Google quietly remove EV indicators in their latest releases?

    In Canary 70.0.3507.0
    https://jetfirenetworks.com/i/image/zNjg
    https://jetfirenetworks.com/i/image/zFgy

    Same thing for EV in 68.0.3440.75. I get the word “Secure” for any site with an EV cert, and a padlock only for DV/OV certs.

    This is jacked up. I’m actually willing to add browser detection to my site, instructing Chrome users to use a different browser. One who doesn’t believe they own the Internet.

    • Google is actively experimenting with removing the EV treatment in its desktop browser. It’s already been deprecated on mobile. Unfortunately, even trying to discuss EV fixes with a couple of key members at CAB Forum is a non-starter. A handful of people have just decided they don’t like EV and they are acting unilaterally to remove it. The Certificate Authorities have an initiative going to try to fix the problems, but without browser buy-in there’s not a ton of hope.

    • They deserve it for not supporting a basic network security protocol (TLS 1.2 or greater). There are options for free TLS for most hosting providers, and even those who don’t support it is often possible to get a free certificate from a service like gethttpsforfree.com

      As for EV, I do not agree with removing that, as some websites instruct users to look for their company name in green on the address bar, for instance when clicking on an external link in Steam it warns to only provide login details if “Valve Corp. [US]” is displayed in the address bar indicating a legitimate Valve website.

    • The CA community is obviously fully behind EV, but a lot of the engineers for the browsers and some of the more prominent researchers think the validation needs to be tightened up and points to some issues that could undermine the EV name badge. I think eventually it will get straightened out, but right now there is still progress that needs to be made.

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha *