Eventually Google plans to remove the padlock icon from its UI, too.
In a blog post made on Thursday, Google announced that it will be removing the “Secure” indicator from its address bar in September with the release of Chrome 69. This is a move that was desperately needed.
HTTPS usage on the web has taken off as we’ve evolved Chrome security indicators. Later this year, we’ll be taking several more steps along this path. Users should expect that the web is safe by default, and they’ll be warned when there’s an issue. Since we’ll soon start marking all HTTP pages as “not secure”, we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure. Chrome will roll this out over time, starting by removing the “Secure” wording and HTTPS scheme in September 2018 (Chrome 69).
As we have stated before, the “Secure” indicator in Google’s UI was never a good idea. Though it was well-intentioned, proposed as a way to incentivize switching to HTTPS, it has instead made phishing websites more effective by adding a “secure” label in the address bar despite the site’s nefarious nature. Phishing has never been more rampant. Now it seems that Google has gotten enough buy-in to remove the indicator, which should help deal a blow to phishers the world over.
The new UI will look like this:
If you’ll notice Google has also eliminated the protocol at the beginning of the URL. It used to start with “https://…,” that will now be omitted.
Emily Schecter, a Google Product Manager handling Chrome Security (and one of the authors of today’s Chromium blog post), recently gave a keynote that discussed some of the reasons Google has decided to drop the protocol and simplify what it displays in Chrome’s address bar. You can watch it below.
Additionally, starting in Chrome 70, which will release in October, Google will begin adding a more intense “Not Secure” indicator whenever you start entering text into an HTTP page.
It’s likely that Mozilla and the other browser vendors will follow suit in the coming months.
This new neutral UI means that Extended Validation will be only the kind of SSL certificate that receives any kind of indicator. And who knows how long that will stick around for. Many non-CA members of the CAB Forum have been discussing removal of the EV indicator for years.
As always, we’ll keep you posted as more develops.