closeup of Chrome web browser with padlock icon

Removing the (confusing) padlock

Hours Hours Updated on Categories Blog

Google is at it again. Changing things in the Chrome browser. This time they’re removing the padlock. You know, that little icon that displays in the browser address bar in front of the website address (URL).

Chrome browser with focus on the padlock icon
Google Chrome browser window with the padlock icon highlighted

The one that says the website is okay to visit. Because it’s safe or secure or something. 

And there’s a big part of the problem: Turns out many people think a padlock in front of a website means something it really doesn’t.

More about that in a minute.

Why is Google changing things now?

For one thing, today a majority of websites display that padlock. The icon means that the connection from browser to server is encrypted. This is the new normal. Should happen all the time. It’s not something special and we shouldn’t display an icon for it all the time.

Because with things we see all the time, after a while it’s like we don’t even notice them. Which raises the risk that we won’t notice it or react if a website we visit doesn’t display a padlock.

A long time ago, there was nothing before the website address in most cases. So those few websites that did use a secure connection with HTTPS and security certificate got the little padlock. And stood out from the crowd. 

Today browsers display a padlock when the connection is secure. But they will also prominently display ‘NOT SECURE’ for a site that doesn’t encrypt the traffic. Not an icon. The words ‘NOT SECURE’ written out. A really hard-to-miss thing. 

Find more about what it means when a website shows up as ’NOT SECURE’ and why a secure HTTPS connection is important, in The one with “Not Secure” and Is Google marking your website “Not Secure”?

Because you should notice it when you visit a website on a non-secure connection. See a ‘NOT SECURE’ and at least think twice about visiting that website. If you do, definitely don’t enter any personal data there.

Safe does not equal secure, nor does secure equal safe

According to Google, another reason for removing that padlock is that to many people a padlock means ‘safe’. As in that the website itself is ‘safe’.

Safe

‘Safe’ relating to websites has to do with the content on the site. Is it safe for kids? Will something disturbing or inappropriate greet me? Or a scammer? ‘Safe’ could also refer to whether my information is safe when I provide it to that website. Or whether my computer might be infected with a virus if I visit a particular website.

The padlock has nothing to do with any of those items. Because it doesn’t in any way evaluate the website itself.

Secure

‘Secure’ in this case has to do with if the information in either direction comes through without any interference or change. And nobody listens in to steal information. We’re also talking specifically about the connection from your browser to the website server. 

The physical distance from browser to server if often great and the data passes through many hands on the way. On that journey, is it protected from prying eyes and grubby hands?

A secure connection is like writing an important message on paper and then putting it into an envelope (one of those that you can’t look right through when holding it up against the light). Then of course carefully sealing that envelope before dropping it in the mailbox.

Having done all this, you rest assured that the recipient (and only the recipient) will get the information. Because the many people handling the envelope on the way from you to the recipient only see the outside of that envelope.

In the online world, this describes a website that displays a padlock: All traffic from your browser to the server is encrypted and any prying eyes only see bits of nonsense.

On the other hand, if you write the same information on a postcard and drop it in the mail, what you wrote is open for everyone who handles that piece of mail to see and read. Certainly not protected or hidden.

The online equivalent is a NOT SECURE connection (no padlock, unencrypted). Which means anywhere along the way from your browser to the server, someone can capture the info being sent. Or even redirect the traffic, now sending your data to an entirely different website.

That’s bad. We definitely don’t want that.

Which is why seeing that padlock and knowing it’s a secure connection is a good thing.

Keep in mind that a website could display a padlock and still give you malware or be dangerous for children (and adults). Conversely a site that says NOT SECURE could be the loveliest site in the world. Safe and secure are just not the same. 

Padlock doesn’t mean safe in this case. But if understood that way by website visitors, it creates a false feeling of safety.

That’s a good reason to remove the padlock icon.

It’s all about the connection

We’ve established that the padlock in the web browser address bar really says nothing about how safe or not safe the website itself is. It only indicates that the connection browser to server is encrypted. 

In the new normal (that we’re now in), all sites should use secure connections all the time. There’s simply no reason not to. The necessary basic secure sockets layer (SSL) certificate is free from most hosts.

If a website doesn’t use a secure connection it’s flagged as NOT SECURE. The website owner needs to fix that situation by switching to using an encrypted connection.

I can see a future where browsers won’t load a website at all if it isn’t using an encrypted connection.

We already see that happen in cases where there’s something wrong with the security certificate. Then, instead of the expected web page, I’ll likely just get a big warning message that the site can’t be loaded.

That’s all good, because it prevents those man-in-the-middle attacks that would steal your information. 

Ultimately it’s also a good thing that the padlocks are going away. A secure connection between browser and server should be the norm. When that doesn’t happen, a big warning is in place. And eventually browsers not loading such pages at all.

So far this is all Google Chrome. Will other browser makers (Safari, Firefox, Edge, to name a few) follow? I truly hope so. Because this has been a confusing thing for years.

Here are 2 more perspectives on the upcoming Google Chrome padlock removal:

Browser window with Google's new icon

Google to Replace the Padlock Icon in Chrome Version 117

Farewell, lock symbol: Google Chrome will retire the padlock icon as the next step in making HTTPS the default for all websites.

Google is changing Chrome’s lock icon because nobody knows what it means

A new tune icon will replace it later this year to avoid misleading users about how ‘trustworthy’ websites are while browsing

Google Chrome lock icon

Never miss out!

Get an email update every time I publish new content. Be the first to know!

Yes, sign me up!