Dear Lifehacker, Google Chrome’s security padlock is freaking me out. When I’m on sites that should be secure—like, say, Gmail—Chrome is giving me warnings that the page isn’t secure. What’s going on here? Signed, Sensitive to Security
We’ve heard this question a lot, and while you can read a lot about Chrome’s web site security indicators on their help page, I talked to Ian Fetteru, Senior Product Manager on the Google Chrome team, to get a clearer picture of why this is happening—specifically in Gmail accounts—and why, most of the time, it’s not something you need to be too concerned about. Here’s what I learned.
Understanding Chrome’s Security Indicators
Chrome’s address bar displays one of several icons next to the URL of the sites you’re visiting, and these icons indicate whether you’re browsing on a secure site or not.
The EV is the most helpful thing Chrome does to help you know a web site is who it says it is, but not all sites have that; in fact, most, apart from sites dealing with money or security (like banks or, say, the web site for password management tool LastPass). When a site doesn’t provide an EV, you’ll see either the lock (which means you’re still connected to the site using an HTTPS connection) or the globe (which means you’re browsing using an unencrypted HTTP connection).
What About When The Padlock Displays Warnings?
Things can go wrong: On some secure sites, images or other embedded page elements are served over HTTP instead of HTTPS. So if you were browsing your bank account on a public hotspot, for example, and the bank’s logo were being served from an HTTP connection, while the actual information on the page was coming over HTTPS, someone on the same network might be able to see the logo of your bank, but not any of the private information that’s being served to you over HTTPS. When a site is serving mixed content, you’ll either see the padlock with the yellow warning sign or the padlock with the red x. Here’s the difference:
So Why Am I Seeing Anything But The Green Padlock In Gmail?
Because Gmail doesn’t reload the page when you switch between emails and inboxes, the padlock will remain in mixed-content mode until you reload Gmail entirely.
According to Ian, other possible offenders (i.e., reasons your padlock may not be green) include Gmail Labs features and various browser extensions. The Gmail team aims to make sure that Labs features are 100% HTTPS, but they’re not always launched without mixed content. (They are experimental features, after all.) Regarding extensions, well—those are in your hands, and the Chrome team can’t control whether or not they’re introducing mixed content into your sites.
If you’re simply using vanilla Gmail (that is, with no extensions installed or Labs features enabled), you definitely shouldn’t see a red x padlock in Gmail. If you do—well, I’m not sure what might be the cause. (Ian’s from the Chrome team—if anyone out there from the Gmail team has a suggestions for why it might be happening, we’re all ears!)
Hope that helps!