You Can’t Trust Your Browser’s ‘Lock’ to Tell You a Website Is Safe

You Can’t Trust Your Browser’s ‘Lock’ to Tell You a Website Is Safe

When you browse the internet, you probably notice a small lock icon that appears in the URL bar. It’s common internet security advice to look for this lock whenever visiting a new site, to make sure your connection is actually secure. Google, however, announced it will retire the lock, since it doesn’t think it serves the security purpose it once did. So, how will you be able to tell if a site is safe going forward? Google has a plan.

What does the browser lock really mean?

The lock has been used since the ‘90s to signify when the site you’re on is using HTTPS vs. HTTP. HTTP (Hypertext Transfer Protocol) is, simply, the protocol that allows for transfer of data across the internet. It’s what allows you to visit Lifehacker.com, and, on the flip side, is what allows us to share our articles each day. HTTPS (Hypertext Transfer Protocol Secure) is essentially HTTP but encrypted: It’s the same underlying transfer protocol, but, now, the connection between your device and the site you’re visiting is protected from third parties.

Cybersecurity experts, including Google, pushed HTTPS hard, because of its superior security protections when compared to standard HTTP. Simply switching to HTTPS helps to ensure bad actors can’t hijack the connection, so you can read about lifehacks without worrying about being spied on or getting hacked by third parties. That lock icon symbolises that secure connection, and its omission should signify the connection can’t be trusted.

However, HTTPS isn’t a sanctuary from scams and hackers. It merely blocks third parties from interfering with your connection. If the other end of the connection is compromised, HTTPS won’t do a damn thing to help you. Google highlights that almost all phishing sites use HTTPS, not HTTP: You could easily click a fake website using HTTPS and get scammed, all with that comforting lock icon resting in the URL bar.

That’s the crux of the issue as Google sees it: There’s a discrepancy between what people think the lock means, and what it actually symbolises. Google says too many people assume the lock means the site they’re visiting is totally safe to use, when all the lock really means is the site is using HTTPS. In fact, in a survey, 89% of participants misunderstood what the lock really means. This isn’t a Chrome problem, either: Most web browsers use a lock icon to confirm an HTTPS connection. It’s just Google is the first to do away with it.

Anyone who clicks the lock can see there’s more to it than a simple safety indicator: Of course, the first option lets you know if the connection is secure, and whether your personal data is protected on the site. However, you can also see information about cookies and data used by the site, followed by a link to Chrome settings for that data. There’s also an option to adjust the overall settings for the site you’re visiting, which lets you change permissions for things like location, camera, microphone, etc.

Google is replacing the lock with a settings menu

Between the lack of clarity concerning what the lock actually means, as well as the expanded settings option the lock provides, Google would rather just scrap the lock altogether. With Chrome 117, which the company plans to release in September, the lock will be no more, replaced by an icon that resembles a settings menu:

Screenshot: Google
Screenshot: Google

When clicked, this icon shows a similar dropdown to the lock icon, including secure connection message, cookies and site data settings, as well as site settings options. However, you’ll also see quick actions for permissions like location, microphone, and motion sensors, which makes it easy to quickly manage your data on any given website.

Google plans to remove the lock on Android at the same time as desktop. It also will remove the icon from iOS, but, since it isn’t tappable in the first place, not much will change for Chrome browsers on iPhone.

How to check out Google’s new security menu now

The lock will remain until September, but you can get rid of it yourself today. Google is making the settings icon available in the Chrome Canary app, where it delivers early builds of features before releasing them to the public Chrome app.

Comments


Leave a Reply